In the beginning, Antivirus Soft looks like a perfectly normal and legitimate anti-spyware. Note: don’t fall into its professionally created looks because just after being installed into the system it reveals to be just a new variant of Antivirus Live. Hailing from this nasty rogue, Antivirus Soft should be called just the upgraded version which is propagated on Newsoftspot.com or other blacklisted and porn websites. It must be added that sometimes this malware is installed through security vulnerabilities found with a help of Trojans. The trial version of Antivirus Soft firstly affects Windows Registry and creates its fake random files and drops them in the system. Once the computer boots up, Antivirus Soft is launched at once and additionally starts its malicious jobs which are concentrated into the only aim. This aim is of course the money required for a possibility to install the “commercial” version of Antivirus Soft.
To make unaware PC users buy, Antivirus Soft firstly displays fake system scanners, infiltration alerts and other security notifications. This parasite states that tons of malware are detected after checking the system and offers to buy its “full” version for deleting everything. At this point it is important to mention that these files are the same ones that are created by Antivirus Soft, so ignoring them is highly adviced. However, Antivirus Soft should be threatened in the opposite way because it makes much more damage for your computer if it’s left. If Antivirus Soft is detected, don’t waste your time. Use a reputable anti-spyware or removal guide written below and delete Antivirus Soft as soon as possible!
How to remove Antivirus Soft?
1. Restart your computer. As your computer restarts but before Windows launches, tap “F8” key constantly. Use the arrow keys to highlight the “Safe Mode with Networking” option as shown in the image below, and then press ENTER.
2. Open Internet Explorer. Click on the Tools menu and then select Internet Options.
3. In the the Internet Options window click on the Connections tab. Then click on the LAN settings button.
4. Now you will see Local Area Network (LAN) settings window. Uncheck the checkbox labeled Use a proxy server for your LAN under the Proxy Server section and press OK.
5. Download an automatic removal tool and run a full system scan.
Automatic Malware removal tools
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,
I’ve tried Spyware Doctor with the latest upgrades and it did not remove Antivirus Soft. I’ve also tried Windows Defender, after a 3 hour scan it did not recognise the rogue Antivirus Soft, neither did Malwarebytes and neither did my installed and automatically updated Avast! software. I’m at a loss as to how to get rid of this obnoxious software – can anyone else offer help?
Howard: do a full scan. By default these tools are set to do a quick scan, not full. Also, update it before scanning and try scanning in safe mode.
There is a small chance that there is a new version of antivirus soft in the wild that is not (yet) recognized
I just removed Antivirus soft manually, because neither the Malwarebytes program nor spyware doctor found the infected files. I’m pretty sure this is a new version, as only last week I had to remove this program 3 times in our college helpdesk.
You would do a huge favour by sending the samples to PC Tools 🙂 , Aaron. As long as you did a full scan
I have downloaded several anti spyware programmes now, they seem to download and install fine, however when i got to open them (with the pc in safe mode with browsing) they fail to open. i will double click and nothing happens i have waited for 15 mins with no result, these annoying pop-ups are really slowing my work down and i have a deadline looming. Any suggestions? Thanks
David: Check the registry if there is something fishy related to launching .exe files.
Alternatively, go to directory you have installed Spyware doctor, make sure you see file extensions. Make a copy of spyware doctor executable, Then rename it to smth.pif. Launch it, update, do a full scan.
I too have a problem with this spy-ware as well. I did a complete format and reinstalled everything form disks and reinstalled software saves on a PC that is not infected. The only thing I brought over was a back up of my documents folder, and a html back up of my bookmarks. Now I have it back on that computer and I do not have anything different on it then this one that I am using now with the exception of anti-virus software. I have been using AVG and SpyBot on the infected PC and just McAfee on this one that is not infected.
As for what I do different on that computer the only thing is I play Oblivion. That is its main function however, I still do the same email and my space and face book stuff and lots of research as well.
Can this software hide in the documents folder or in a link some how?
David A: in document folder itself – rarely. In some cases similar viruses hide in Users application information folder. ( AppData), which is one level above the document folder. So you should be safe (if there are no executable downloads in your documents).
On itself, AVG Free has no rootkit protection. So some parasites manage to infect machines running AVG free. Spybot was quite good product (for a free one), but I am quite disappointed with its update frequency on 0 day infections last time I checked. I would recommend AVAST free or NOD32 (running it myself). Also, Spyware Doctor 😉 Not so happy with Macafee too – it made my new laptop really sluggish.
I have windows xp professional and just recently got this antivirus soft virus. I followed instructions off of another website first (bleedingcomputer) and downloaded the Malwarebytes version they had posted. It seemed like the program had deleted the virus, but after I restarted the computer in regular mode, the computer froze, like everything loaded and I was ready to start an application, but as soon I clicked somewhere, nothing would respond. I already have McAfee on my computer, but the weird thing is when I restarted the computer, it gave a message that “not all components were properly started or installed.” This has gone on over many restarts. I looked back at the files that Malwarebytes deleted, and they do not really correspond with the ones listed above. I went ahead and looked through the registry myself and found that most of them (not all of them) were still there, so I deleted them as well as the corresponding documents in the Application Data folder. But still the same thing has happened, even though it seems like the virus is gone. I’m wondering if I should ask Malwarebytes to restore whatever files there were that don’t match up to ones listed above, or will that just start the whole process over again? My computer can only run in safe mode right now, as in regular mode, everything freezes, even the task manager. Is there anything I can do or is my PC fried?
I got rid of antivirus soft by doing system restore to day before.Perfect.
hello there, i was wondering if anyone could possibly tell me how to remove the antivirus soft, it is really messing up my laptop and i do not know how to take it off. please help.
thank you
alieah
I am having a lot of trouble with this malware. I have Malwarebytes and a couple of others (Stopzilla, Avast) But AntivrusSoft isn’t allowing any programs of any kind to be opened and i can’t access the registry to attempt to manually uninstall it. Any suggestions?
Well i restarted my computer and it seems to have done the trick, unless AntivirusSoft is being extra tricky and completely hiding out of sight, no popups or security alerts.
I started getting the Antivirus Soft popups/notifications starting around mid-day yesterday, 02/17/10. After realizing that the warnings were likely a fake (due to the broken English/poor wording on some of them – made me very suspicious), I searched for a fix and downloaded the rkill and Malwarebytes anti-malware links bleepingcomputer – did a full system scan with Malwarebytes, but nothing was detected, so on the suggestion of “sid” above, I did a system restore this morning (02/18/10) back to the date of 02/12/10 (I had one from 02/15/10, but decided on the earlier date, just to be extra safe) and haven’t had any problems as of yet. For those unfamiliar with how to do a system restore (I didn’t know either until I looked for it), here’s how to get there in Vista: Open Control Panel -> Administrative Tools -> System Configuration -> Tools tab -> System Restore (the 4th option on the list). Hope this helps other users out there. I consider myself a relatively savvy PC user, but I’m astonished at how aggressive this program was. I was suspicious about the notifications because I am very careful about not downloading from sources I do not trust, but somehow this one can be transmitted through PDFs, and I do download PDF documents all the time. Lame! One more reason to use a Mac!
I had a similar experience to Aaron Ender in that spyware doctor didn’t find antivirus soft.
I followed your directions in safe mode. I noticed a couple of differences.
The proxyOverride registry was not “”, it was “”.
The final registry directory was not “avscan”, it was “avsoft”.
There was no sysguard.exe, only sftav.exe
Hello,
Tonight I was browsing at work and this dreaded AntiVirus Soft program attacked the work computer. I tried to get online to find a good spyware/adware remover, but the AV Soft wouldn’t let me go to any other website, so I’d have to take care of it offline. it won’t let me open up any .exe programs either, saying that they’re infected and I have the option of either buying the “full” version of AVS or dismissing the warning. I haven’t tried the manual removal instructions yet but I will try it tomorrow when I go back to work. I know where to find all of the listed registries and files, but should I risk it or just call a technician in?
the only thing i have figured out to do is close antivirus soft before it starts by opening task manager as soon as my desktop comes up. I use Avast Free and spybot got some stuff but didnt do the trick.
update: the process that i deleted is named as hkwmsftav.exe
also in regedit the entries i have found are
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (xlmnpuow)
I am unsure of these two though , do i delete them or?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (igfxhkcmd)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (igfxpers)
update: i deleted the entries listed above and antvirus soft did not pop up however the above files that are supposed to exist in the application data do not exist or i am seeing something wrong , there are files there but they dont seem to be connected due to dates of creation and description
another update: what is supposed to be found in the application data folder is a folder not individual files what i found was a name folder (accooorrre) or something like that, deleted it and all other necessary things (registry) thanks for the help
SOLUTION:
1. Start in Networking safe mode
2. Download CCleaner(http://www.ccleaner.com/) – save to desktop
3. Open CCleaner Go to: Tools-Startup then look for suspicious program names such as hgdksl or fhdjxk. REMOVE these programs.
4. Exit ccleaner after removing anything suspicious.
5. Restart your computer like normal (Don’t let it load in safe mode)
6. You should now be able to open everything like normal.
7. run an Anti-Malware program such as MBAM(Malware Bytes Anti Malware)
8. Remove anything left infected and restart if prompted
9. ????
10. Profit
Hope this helps anyone that needs it. CCleaner is an awesome program.
I have Anitvirus Soft on my computer, but it won’t let me open anything. I don’t know how to fix it if everytime I open it the Antivirus soft says it’s infected and then closes it automatically. Help, please?
okk so im guessing bleeper isnt a good reference..umm can anybody help me? but im glad to know that i dont have any real threats on my computer..ill try doing what sid said but what if that doesnt work? then what would i do?
Just got hit today with this, after trying to purchase a replacement TV Remote control online. Ick. This program is nasty – it reconfigured my McAfee: it turned off Firewall, Virus Checking.
Thank for the advice! I’ve got a project obn my hands…
Hi,
TOday I got this virus known as “Antivirus Soft”.Its not letting me open any .exe in my system.I have Microsoft forefront installed and scanning now….can anyone help me here please..how to remove this????
The solution i s actually really simple, once you identify you have the malware infection, turn off your computer and restart in safe mode.
Once in safe mode, do a system restore (directions above from sarah) and the infection will be gone.
I have windows vista basic.
I have been infected with antivirus live and I am not able to use my computer at all!
How can I install these removal programs if it will not allow me to use it?
@Aaron Ender
how did you remove it, i have tried malware and a couple others
One of my co-workers had this on her computer today. I had successfully removed it from her system by running “Super AntiSpyware” on her computer… ran it both in Safe Mode and regular mode.
The trick with this is when you reboot the computer… as the computer opens up and starts its processes, double click on Super AntiSpyware program before the processes of Antivirus Soft processes start to run. It is imperative to quickly get that program (Super AntiSpyware) on your desktop so you can run the scan. Once Super AntiSpyware program opens before the malware processes begins again, you can do the scan and allow it to delete what it finds. Just ignore the pop ups from this malware… if you have to, move the super antispyware program box over to the side so you can still see the scan and to be able to tell it to delete what it finds.
In addition to running the Super AntiSpyware software in both Safe Mode and Regular Mode, you have to, unfortunately, also delete the registry entries manually…. just as it tells you all the way on top of this site… which are as follows:
To Stop the Antivirus Soft Processes:
[random characters]sysguard.exe
[random characters]sftav.exe
To Remove the Antivirus Soft Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random charaters]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “[random characters]”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:5555”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = “.exe”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “”
HKEY_CURRENT_USER\Software\AvScan
To Remove the Antivirus Soft Files:
Windows XP:
%UserProfile%\Local Settings\Application Data\[random characters]\
%UserProfile%\Local Settings\Application Data\[random characters]\[random characters]sysguard.exe
%UserProfile%\Local Settings\Application Data\[random characters]\[random characters]sftav.exe
Windows 7:
%UserProfile%\AppData\Local\[random characters]\
%UserProfile%\AppData\Local\[random characters]\[random characters]sysguard.exe
%UserProfile%\AppData\Local\[random characters]\[random characters]sftav.exe
********************************
You also have to go into Control Panel>Add or Remove Programs and uninstall some other spyware software that will still be embedded on your system…. such as “avstracking.exe”… which is what I had found on her computer after doing everything I mentioned above.
********************
Once I did everything above, I restarted her machine in regular mode and found no instance of this malware.
Hope this helps all of you.
I was infected with Antivirus Soft and I can’t do anything at all.
I have tried to restart it in Safe mode. Couldn’t do it either.
The same story as I had before – can’t do anything. When I do any action a box popping up ” Application cannot be executed…………….’
restart your computer, tap f8 before windows starts up, then start your computer in “safe mode with networking”. download malwarebytes (it found mine), run the scan, remove what it fonds and restart
@sarah
Did your system restore actually REMOVE this annoying program? Or did it just supress it? My dad’s business computer just got hit with it today due to some careless browsing and downloading on his part and I’ve been working for almost 2 hours trying to get rid of the stupid thing. MalwareBytes didn’t detect it the first scan I did, so I updated it and am now scanning again. Hopefully this works. But did the system scan REMOVE Antivirus Soft?
UPDATE: I finally got it removed after 2 hours of work. I found out that when I had originally downloaded MalwareBytes, the update had failed. So essentially, I performed the first scan with the out dated version of MalwareBytes. When it hadn’t found anything, I clicked the “Updates” tab and clicked the “Check For Updates” button. It installed the updated version of MalwareBytes which ultimately detected and REMOVED Antivirus Soft. Thank God! Hopefully this helps. To everyone who looks at this comment, here are the steps you need to follow:
-Restart your computer. When it gets to the reboot screen repeatedly press the F8 key until you get a prompt asking you how you’d like to start windows. Start Windows in SAFE MODE WITH NETWORKING.
-If it asks if you’d like to continue in Safe Mode, select “YES”.
-If using Internet Explorer, open it. Click on the “Tools” menu on the menu bar. Select “Internet Options”. Select “Connections”. Click the button “LAN Settings”. On the bottom half of the box UNCHECK the box next to “Use a proxy server for your LAN”. (If this is checked, it will prevent you from accessing any websites).
-Download the MalwareBytes software. Make SURE that your software updates upon installation. If you get an error saying “Update Failed” with a message, simply try to update it again by clicking on the “Updates” tap and clicking the “Check For Updates” button. (I don’t believe Antivirus Soft can be detected by the old version of MalwareBytes. An update is absolutely necessary).
-Make sure you perform a FULL system scan. “Perform quick scan” is the default box checked. This will most likely not detect Antivirus Soft if performed. Perform the Full Scan. This will take a long time to perform (depending on how many files are on the computer). Once it’s finished, it should have things detected which have things such as “Trojan.fake” and variations, etc. in the name. A big thing to look for is the “HKEY_” in the file. Remove these files and restart your computer.
-By this time, you should be able to log in using normal Windows and Antivirus Soft should be removed.
Hope this helps!
Good luck to all!
I just got this too. Appears to have been in a PDF. Exteemely aggressive pop ups and then of course it blocks the web browser and forces evetything thru its own proxy server. Impossible to bypass without entering safemode. So far Malware is finding nothing. I found a gibberish entry it put in the registry. It also poped up a porn site and a viagra site. This is an extremely nasty virus and these clowns are obviously traceable …. makes you wonder how they get away with it. Can trace them via their own proxy servers and the cra they advertise. They take credit cards – where are the so called law enforcement?
Update: I removed one registry entry manually and running malwarebytes in safemode appears to have worked. However running it again show traces still exist and its trying to make a comeback.
Yes… When your computer starts up, be sure to get right into the START>RUN>REGEDIT…. OR your Anti Spyware program, etc. The trick is to begin getting into these immediately as soon as your desktop displays on your screen. It takes about a minute or less for this annoying thing’s processes to start running on your computer.
So, the trick is to be quick with it. I recommend that when you boot in Safe Mode, and the screen opens up (unfortunately, this thing will still start to run), go into your web browser quick and download whatever file you need (to download an antispyware program, etc. if you don’t already have it). If you start your web browser before the processes start running, you’re in the clear. You just have to ignore the boxes that come up from this thing once it starts running. Don’t click on anything really… just make like it isn’t there and get straight away to doing what you need to do.
You will see that any of these anti-spyware programs won’t get rid of all of it, but they will get rid of a good amount. Once the anti-spyware program completes and you get rid of all the crap it found, reboot… once your desktop displays on the screen, IMMEDIATELY go to START>RUN>REGEDIT to delete the above-mentioned registry entries. You will find that as you start deleting stuff, it will slow down the processes and eventually this thing stops because there’s nothing left of it to run.
REBOOT again and it shouldn’t really be there at all. But, when you reboot, go to CONTROL PANEL>ADD OR REMOVE PROGRAMS. Check the software you have listed and make sure you remove any and all weird software mentioned on the list. In my case, I found something called “avstracking”.
I was able to remove antivirus soft program but I am not able to connect to the internet. Can anyone help
I have found Malwarebytes to be an effective way to get rid of Antivirus Soft IF you get the program up and running before the rogue takes root. I was able to get the Malwarebytes up and running and DID A FULL scan. It took over 2hr 30 min to complete and found 4 Trojans. It was able to get rid of them and so far there has been no repeats.
Something that I noted is that when Antivirus Soft was infecting my PC…It would try to load up porn sites using Internet Explorer. Has anyone else experienced this when their machines where affected?
I’ve had this virus for weeks and it even caused my Windows XP SP3 to get multiple blue screens stating memory/cache/bios overload or something like that. Some processes were hogging all my. I wasn’t able to update MalwareBytes, SpyBot, etc, even in safe mode with networking. I finally found this thread and read all the comments. I did a manual removal (found most registry entries but not all of them as listed), also it was avsoft on my machine. After manual regedit in safe mode, finally got MalwareBytes to update, also updated SUPERAntiSpyware and SpyBot. Running htem all now and still finding stuff. This virus must be a new version. I found some processes running that had zero Google results, one was pplosftav.exe
James : Antivirus Soft uses random file names, like antivirus live did. I would guess process names end in sftav.exe now typically, though there might be other version still active. Thus scanners that are based on file name recognition does not work that well against latest parasites and humans can detect malicious processes. Full scans (which check files against database) should find these infections in most of the cases. I would recommend scanning with Spyware Doctor as well – it has better database than Spybot for example.
I just found out i got this virus from the massive pop ups and it wont let me do anything! it wont let me even do a system restore, i have a windows vista. and i went into safe mode with networking and it wont connect to the internet…any sujections now?
oh yes, and on my normal networking without safe mode it wont let me get onto the internet to download anything to get rid of the program.
Someone above mentioned it already, but I’ll say it again since it worked VERY well for me. Go into safe mode with networking to connect to internet via LAN (wireless does NOT work). Download CCleaner, go into “Tools” and then “Startup.” Look for a bizarre named file like “hdjkpp” and “Disable” it. Restart in normal mode and if you can access files normally, you’re half way there. Point here is to kill the startup process that prevents you from accessing anything else. Once that’s taken care of, you’re free to hunt down the contaminated files at leisure though you should do everything before rebooting.
Now download Malwarebytes Anti-Malware and/or Super Antispyware or w/e. Update to latest version either automatically or manually.
I had to do the latter. Run and clean and you should be good to go.
@Eric
You probably have AntiVirus Soft processes still running in the background.
Do another search through RegEdit and delete weird looking entries. These entries look like something like this: aefsdfsdflj or similar
After removing all those entries, reboot…. your internet connection should be fine. If not, then you should go back into RegEdit and skim through to see what you may have missed.
@A. Sanchez
Yes. It did that in all of the infected computers I fixed.
Wow… I have been battling this for 4 days now.
I have used Malwarebytes, Avast!, and Rkill. I noticed I show no signs of any pop-ups anymore, but like Joe #9 above, my computer is CREEPING…
I just tried to do a system restore, and for some odd reason, I cannot open system restore. This is a bugger!
I am starting to lose hope! (I will try Spyware Doctor next)
stay tuned…
If your system allows a “System Restore” feature to return your computer to an earlier operating state, then this is an easy fix. This worked for me. Just choose an earlier date than the date you got this annoying virus and follow the instructions and you’re done. You may have to select this feature from safe mode because in regular mode this virus won’t let you get there. But in safe mode you can do a system restore. To get to safe mode keep tapping F8 as your computer is starting up. Click the Start button then All Programs, then Accessories, then System Tools, then System Restore then Restore my computer to an earlier time and click Next … typically the restore dates are in bold on the calendar that pops up, so choose one and click next. The Restoration Complete screen appears after System Restore finishes collecting data and then the computer restarts, click OK and you are GOOD!!! To whoever came up with this virus, may I say to you — you are scum!
I too, did a system restore to the day before and everything is running perfect.
Tap f8 while you’re rebooting, restart in Safe Mode and When prompted to do a System Restore or not click “Yes” and restore to the day before. Done.
just performed restore and so far so good…thanks!
Got this cute little F@cker while watching tv online, saw an old version of acrobat open up and knew what was going to happen. Havent dared manually remove it yet, hopefully an automated one will get it. Its quite annoying, it even had the guts to tell me solitare was infected!
* to the people that cant connect to the internet – i read somewhere that it changes you to a proxy server and you have to manually turn that off and then you should be good to go.
Thanks to everyone who mentioned the system restore option. It was the only thing that worked and it saved me a huge headache.
If these scam artists are ever caught, we should be allowed to each give them one punch in the teeth for wasting our time.
Do I need to go back and change the LAN setting after completion?
And my thanks to everyone; I successfully used the system restore option. This site was a HUGE help and headache saver. I was searching for something this morning and remember clicking on a .pdf file; wonder if that was the source of the Antivirus Soft? After restoring the system, I updated and re-ran Spybot; nothing found; Downloaded and ran Malwarebytes; that found 1 item on my c:drive and 5 items on my back-up hard drive! Note, I ran the full scan (5+hours). I also downloaded, installed and ran the CCleaner tool. Not sure of any bad files found, but it did clean 2.5 Gigs of files off my system. Good luck to all who are unfortunate enough to find this Antivirus Soft malware.
PSL : No. These lan settings were created by antivirus soft and are malicious.
Chris: Yes, PDF files can spread the infections if you have unpatched Adobe reader and/or no real time protection from viruses AND malware. I would recommend downloading latest adobe reader from adobe and getting some antivirus (AVAST, ESET, etc) and antimalware (Spyware doctor or superantispyware, malwarebytes) with real-time protection.
Here goes! Thanks all 4 info! Gonna start with the system restore!
i am trying the safe restore in XP on my netbook. it keeps telling me that i cant not run restore in safe maode and that i have to go to normal and run it. do you think the little B@$%tards that made this evil thing are catching on to this fix?
Sid, Sarah, Garrett….Just got this nasty thing this am…..almost called Norton and almost paid $99 to have them remove this….your advice…worked!!! Thanks for the help 🙂
I did all you said but now it keeps shutting down with a blue screen that says “a kernel thread terminated while holding a mutex”. Any ideas??? Thank you so much for your time
i got lucky and had just bought a new laptop and moved my music and pics onto it. i did a full destructive restore on my computer. it fixed it. destructive restore should be a last resort. it will completely restore your system to factory settings. everything is erased, and you start out with exactly what was on the computer when they rolled it outta the factory. it is in the advanced options of system restore after pressing F10 during startup.
PSL : it is likely that you got a rootkit in your system (old version) that got only partly removed. You might need to reinstall PC if you can’t boot. If you can boot, do a scans with spyware doctor and see if everything got removed manually.
I got the virus, and performed a system restore for a month earlier (I wanted to make sure I was safe – I get kind of nervous about these things). Seems to have fixed the problem. I had to do the system restore in safe mode with networking, because the Antivirus Soft wouldn’t let me get into any of my add/remove programs or even do a system restore while in normal mode.
I did the system restore, I went back about two weeks. The trick at least with mine, was to get the restore screen open before all the pop-ups.
I would like to beat the crap out the buttlick that made this!
I couldn’t turn on system restore in the safe mode. It says: “system restore has been turned off and cannot be turned on in safe mode. To turn on system restore, restart in normal mode and then run system restore again”. But in normal mode, the “antivirus soft” will not allow to run system restore. How can I do? please somebody help me.
i used Nates method…Ccleaner worked perfectly…i simply booted windows in safe mode with networking, downloaded ccleaner, once in ccleaner i clicked tools on the left hand side and then clicked startup, it will then give you a list of your starting processes, i wasnt sure what .exe were the virus so at first i disabled until i located which one…it will most likely be something like xidexe or hgdksl…once you have figured out which one it is you can delete it through ccleaner and then you will be good 2 go
I’ve been up the whole night trying to get this thing off my computer. I first tried to find it and disable it. Didn’t work, then I jumped on another computer to try and find some answer. I’m so upset at how aggressive this thing is, I wasn’t even on any website I’d never been on before. Facebook for crying out loud! Have just done a restore and it still hasn’t worked. I think I may have to bite the bullet and call a professional.
Hi – like the others, I’ve got it … nasty bug…
Yesterday I was able to remove it manually – I thought. Today PC booted ok and after a hour or so started acting funny and I lost internet access. Symantec anti virus reported stopping the virus (along with two other files, probably related). Everything seems back to normal, malwarebytes and symantec report nothing. BUT I still have no internet access. Even a quick manual search turned up nothing suspecious. Other PC’s on home net work fine. I tried installing a fresh copy of FireFox, no go …. any ideas on where to look for the problem ?
Hi – like the others, I’ve got it … nasty bug…
Yesterday I was able to remove it manually – I thought. Today PC booted ok and after a hour or so started acting funny and I lost internet access. Symantec anti virus reported stopping the virus (along with two other files, probably related). Everything seems back to normal, malwarebytes and symantec report nothing. BUT I still have no internet access. Even a quick manual search turned up nothing suspecious. Other PC’s on home net work fine. I tried installing a fresh copy of FireFox, no go …. any ideas on where to look for the problem ?
A couple of other bits that may help to know. As far as I can tell, Skype does work. IM and browsers are dead. I have tried several system restore points, but in each case, after reboot it comes back to say that nothing was changed because the system cannot be restored to that point. Everything else seems to work fine. I am assuming that during the second round of the trojan installation – something was changed and the anti malware doesn’t fix that.
The three fils that Symantec caught were njjwsftav.exe VtAA.exe and cvWJ.exe
Hi everyone. I need some help with this problem. I did do scan on MBAM(malware bytes anti-malware)and found like 2 infextions. after i I restarted and did the scan again. the virus did leave but it screwed my wireless. Beacuse whenever I try Safe Mode with Networking and the wireless works but when I work the windows normally it does not grant me complete access. One more thing to add, wheenever I open my windows normally I get this installation request which comes twice which is the antivirus soft request. Please help me with this problem. I have to get my PC to its natural state. Please anyone ….
Thankyou
Wow this virus really sucked I sealed with it for 3 days. I know little about computers but figured i could find something on the internet to help me and this website was the answer.I read all the post and used the safe mode and restored my system and that fixed the problem then to be on the safe side I downloaded the malwarebytes and got rid of this anti virus soft. Thanks everyone who posted
My wife’s computer got this yesterday. I was able to restore the system and it seemed to be working fine for a while, but she reports more problems today, including frequent blue screens. She’s able to get on the Web, but is having trouble running a full virus scan. I downloaded malwarebytes on a thumb drive and will run that tonight, but did we miss something with the system restore?
I should clarify. I did the system restore back to Friday, two days before the virus started. But is it possible it was lurking in there before then even though it had not started the pop-ups? I’m just trying to get the computer running for her reliably until I can fully remove the virus.
I would like to first thank the Good Fellas @ http://www.2-viruses.com for this article as well as all of you who commented here. With the help of this article, Sid, Sarah, Garret and Dawn’s comments to use restore, I was able to get rid of this virus under 10 minutes as easy as it gets. I much appreciate all your time you spent here to share a solution. Keep up the good work. Be Happy!
Jim : Sometimes restore points are infected or virus resides in user space and is not affected with system restore. The best way to make sure is to do a scan with couple good anti-spyware/malware programs, and keep up-to-date anti-virus and anti-malware with real time protection.
This one is really bad. I initially right clicked on the popups and determined where the file was originating. Once I did that, it went into full force protection to not allow me access to the folder. I couldn’t even access in the safe mode. It hid all my files in my user/admin account when it was active. I restarted the computer and started task manager as quickly as possible to disable the exe before it blocked me from everything. Once I did that, I was able to unhide the files, find it and delete it. This is one of the worst I’ve seen. Windows defender or Norton didn’t pick it up, even with the full scan.
These bastards nailed me yesterday.
Virtually crippled my computer in a matter of seconds.
I immediately ran my free home version of avast and it caught 2 trojans.
Internet would not work so I found this website on my G1 phone.
Safe mode.
Deleted all suspicious registry entries I could find as instructed by rsarrock.
Then I decided to try sid’s advice and while still in safe mode, I did a system restore to 2 days earlier.
Then I rebooted and everything seemed fine but I ran spybot anyway and then avast one more time.
I finished by running ccleaner. Computer is running like new! Thanks so much guys!
Wow, this one is tough. It totally prevents my computer from going on the internet (hence I can’t download antivirus software). It’s also blocking some microsoft XP functionality. Does anyone know if Antivirus Soft prevents your PC using Windows XP from doing a system restore? I can’t find any System restore points or system restore radio buttons to push on my infected PC.
Thanks for the help, looking good so far. Doing a few final clean up scans.
Should note I tried the manual removal method, could not restore. And Malwarebytes I could not update, lan locked out even in safe mode. Prehaps it was the proxy I removed manually latter.
Going to bed, hopefully the scan won’t find anything else now, and my wifes laptop will be clean. Seemed fine though when I restarted in normal mode.
Thanks Again.
If it helps anyone, the newest version installs as gxxistav. The locations are all roughly the same, just be on the lookout for this new iteration of the .exe and reg entries.
I just picked up this nasty virus today while on my own Facebook page. It is definitely a pain.. It did mess with my IE, but I was able to use my Firefox fine with it. I tried to do a system restore, was my initial idea, but this virus wasn’t allowing me to access the system restore files.. a pop-up would appear stating that it could not execute the file because it was infected. Highly annoying. I decided to browse the internet and try to find a solution, hopefully someone has had this problem before, which is how I found this site. I, also, was getting pop-ups from IE that was trying to take me to pornography sites. After my Avast! did not pick up the virus during a quick scan (thorough takes a lot longer, more than I’d like to keep the virus on my system) I decided to restart my computer and go into Windows Recovery (F11). I restored my computer to my last Windows update which was yesterday, and as of right now I have no problems. It seems that the virus has been wiped.
I suggest doing a system restore before doing anything else to see if it will take care of your problem. If you cannot access it the usual way (through system tools), then just restart your computer and go into the Windows Recovery to restart it from there. Hope this helps!
@David A
It seems to be user specific on one of my client computers, and I’ve found some of the files in the users local settings, so yes, if you copy their my documents folder you will also copy the virus.
Having the same problems as you all but I can’t get into ANY SAFE MODES. I can logon normally but cant open IE, Safari or Google Chrome, cant sopen any files or perform any action s further than looking at the desktop and bogus infection messages. PLEASE HELP!
The reason why Malwarebyte’s Anti Malware is not updating might be that you have not fixed the proxy thing, as explain on top of the page. My Firefox was running fine, so I assumed that was not a problem.
Even if it does not stop Firefox from running, it stops Anti Malware from updating. Once I fixed that, there was no more problems updating.
I think I have killed it now, but we will see…
I found a very easy way to remove Antivirus Soft. It wouldn’t let me open any file except the one to buy the software. I had anti virus software programs on my computer. OK, I bought their $49.95 version. Who else would know better how to get rid of this monster than those who created it. After they get your money they want you to be happy with the results with no complaints. Well, I ran their program and sure enough in five minutes or so it was completely gone. No going into safe mode, no buying another remover, no deleting files for hours and hours.
But they did have $49.95 of my money. Before I bought the program, I noticed they had a money back guarantee. The next day I called my bank, told them what they were doing and I wanted to dispute the charge if I didn’t get my money back. Next, I e-mailed them stating my displeasure with their scam and ask for a refund and much to my surprise I received an immediate reply saying they would credit my debt card within 5-10 business days. Well it didn’t happen, so I e-mailed again and they claimed there must have been a glitch and they would reissue the credit. A couple days latter the $49.50 was back in my account. So, there still must be some honor amongst thieves. Worked for me, good luck !
I wasn’t able to go into SAFE mode on my laptop (windows XP), so I followed the instructions on this website and tried the following. It worked. Included below are the list of steps:
1. downloaded ccleaner and malwarebytes antimalware (MBAM) on another computer, saved them on a memory stick and then transferred them to the infected laptop
2. installed and ran ccleaner on the infected laptop but it didn’t find anything
3. Then installed MBAM with which I had problems running the program initially as I was getting runtime error 0 and runtime error 40
4. The trick with this is when you reboot the computer… as the computer opens up and starts its processes, double click on MBAM program before the processes of Antivirus Soft processes start to run. It is imperative to quickly get that program (MBAM) on your desktop so you can run the scan. Once MBAM program opens before the malware processes begins again, you can do the scan and allow it to delete what it finds. Just ignore the pop ups from this malware… if you have to, move the MBAM program box over to the side so you can still see the scan and to be able to tell it to delete what it finds. (copied from somebody else’s post)
5. MBAM found two objects which it eliminated but still Antivirus Soft was present in the infected laptop and I was still not able to get anything done
6. Then, went into the registry files (start –> run –> regedit) and deleted the following files
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random charaters]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “[random characters]”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = “1?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:5555?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = “.exe”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “”
HKEY_CURRENT_USER\Software\AvScan
7. Then, rebooted the computer and it is working fine now
OK, here’s my story: I was keeping up on the news at Google’s website, and I clicked a link to Ha’aretz Israeli news. It wanted to install a cookie, and I didn’t let it. After that, my IE windows closed, all of them. I thought “wow, that’s weird” and opened it back up. Then I started getting the Antivirus Soft popups. At first I thought it was my Avira software, then I noticed the really bad English. I’m always careful about internet content and I haven’t picked up anything bad for years now. This computer’s pretty new, though, and I don’t have all the protections installed yet. Anyway, I used another computer to start looking for a solution to the problem after disconnecting that one from the network. It wouldn’t let me open regedit or msconfig, said they were infected, so I started up in safe mode. Then I was unable to find any of the registry entries listed except 1 entry for sysguard.exe. No obvious random entries in any of the directories, either. Then I tried system restore, and so far no Antivirus Soft popups. However, I was unable to get my Avira software to run properly. I’m going to reinstall it and try again, then we’ll see. Good luck to all, this thing is nasty! BTW, I don’t even have Adobe reader installed on this machine, and didn’t open any PDF files.
i downloaded the automatic spyware removal and it didnt run. what can i do?
woo : Right-click on it and run as administrator (On vista/Win 7). On xp, start task manager, find execute new process and enter full path to executable.
I tried system restore and its just seemed to make things worse wont even take my password now to log on the computer anymore what can i do?
Hi folks, just a quick update: using the “system restore” function on XP Home seems to have worked, although I did have to reinstall my Avira antivirus software. Jim, your solution of playing along is an interesting one, but I can’t help thinking if they hijack you once, they’ll do it again.
@Raj good job on the reg edit. FYI for Ccleaner, you have to go to
Tools->Startup and remove anything with a random suspicious name.
I had a first attack of Antivirus soft 0n 22nd feb 2010.AVG was inactivated by the virus and it started proliferating itself by opening many new sites.I downloaded MBAM and scanned the system.36 infections were noticed and all were removed. For an hour, the computer was working,but the virus appeared again stopping the computer.This time I switched the user and again scanned with MBAM.It failed to detect anything malicious.Finally I downloaded Stopzilla and did a fullscan.It removed the virus fully.But how long I don’t know
Danver : MBAM missed original trojan downloader in your case. Also, it has no real time protection in free version, that allows some trojans to reinfect system. I would recommend keeping at least one tool running with real time protection
I was able to restart my computer in safe mode and system restore to a previous date. Then the only related file I could find was GRCDSFTAV.EXE-3B1A4ACO.pf in C:\WINDOWS\Prefetch and deleted it. So far seem to be in the clear!
I used Combofix and this seems to have worked. Must be used in safe mode.
i was downloading some n64 roms when it came out of nowhere, imma try the system restore and reply when i find out if it works
alright i’m back….system restore works, i set one up every weekend after comp scan finishes, i didn’t have to go into safe mode, just restart and quickly restore before antivirus soft had time to load, it’s working fine…..for now
I have/had it too.
🙁
System restore has apparently worked though.
A lot of people I know (including myself) seem to have gotten it from clicking adds on livejournal, just a heads up.
I just recently got rid of that terrible malware “Antivirus Soft”. I had an antivirus program installed (Norton, it is supposed to be good) but even that did not stop that rogue virus to infect my computer. I downloaded Malwarebytes, SpywareDoctor you name it NONE OF THEM WORKED. The only thing that helped was System Restore. Norton is good, but this time, it failed.
Wow! I came home about 10:30 to find this thing running amok on my system. It’s now 12:20 am, and I *think* I’m in control again. It was as “simple” as running system restore from safe mode, though it took me several tries to get there. In the morning, I will run a full scan with AntiVir, and double-check add/delete programs for anything odd I may find there. Thanks to everyone for their instructions and comments!
i have a computer that has this fake antivirus , and has all systems that i am reading on here plus one more crutial one , it is blocking all internet access , it blocks all programs trying to connect to internet , tried bleeping com solution and failed , tried restore and failed and even tried spyware terminate software and failed , and also tried them all if safe mode , what options do i have left ?
I just got this nasty virus two days or so ago, and only tried to remove all of it last night using the bleepingcomputer method and MBAM. I was able to access the internet and download the program using Firefox, but could not run it. So i rebooted in safe mode with networking and ran a full scan (with MBAM). It deleted over 300 infected files. After that i thought it was gone, but i rebooted and all the pop-ups began again. So, i used this program from the bleepingcomputer site called rkill com as soon as i started up. (the program, rkil com, just deletes all known processes of malware, instead of having to do it manually.) I was then able to run a full scan in normal mode where 42 MORE infections were deleted.
I think i may have still had the problem, until downloading STOPzilla (free version) which had detected the virus. I am uncertain if it had killed it altogether or just stops it while it is running. It said i need to buy it to delete the files… But the problem seems to be gone now. Thanks for all the people with their solutions.
P.S. I did not remove any of the registry keys manually, Should I?
@Juan Try doing everything I stated in post #21. Tell me how it goes.
Update:
I deleted a file in the registry:
HKEY_CURRENT_USER\Software\avsoft
I am too unsure to delete the rest of the files in the registry.
hello there, ive had this annoying virus 2 times now, i just wanted to let you guys know the easiest way ive found (without a system restore) to correct this pest, all you need to do is go into safe mode on your computer, make sure the internet settings are back to normal (as shown above). Download Spybot Search and Destroy, and run it. every time it has been able to remove the virus. I also run Hijackthis and make sure to google EVERYTHING that might seem random or odd.
Wish you all the best of luck 🙂
Maulum : ever wondered why virus returns if you use Spybot and hijackthis only ? 🙂 Get some real antivirus and anti-malware programs with real-time protection … obviously your PC is either in infected network or websites you visit are infected.
Actualy i got them 2 times with about 6 months apart, also i have found that every time the Registry’s have been removed. i am 100% sure that Antivirus soft has been removed from my computer both times, the 2nd time being today. Also i received the virus on different websites both times, just bad luck. All ive been trying to do is help people with that problem, with the method that has worked as said 100% for myself.
Enjoy 😉
EDIT: i forgot to mention i have let the following scan without finding any results.
AVG
Malwarebyts
Avast
Kaspersky
All of witch were fully updated, only spybot was able to find the problem.
Maulum : why not keeping some antivirus and anti-malware then ? 🙂 In most cases this helps avoiding problems before they happen… never make same mistake twice 🙂 I have seen cases when reinstall becomes single option to fix the PC … few, though…
I enjoy the adventure of trying to destroy an invader 😉 … no i don’t really know why, i keep Avast on my computer but disable it, i almost never get a virus. The 2 times i got Antivirus soft were the only 2 i ever had in the 5 years of owning this computer.:D
On another note, the guide you guys have here really helped me the first time i removed this annoyance. Keep up the good work, you guys are helping the world! 🙂
Maulum : Now there are 2 sets of tools : Antivirus (AVG, AVAST,Kaspersky) and antimalware (MBAM/Spybot/Spyware Doctor). Typically, MBAM successfully detects and removes antivirus Soft (though I have better results with spyware doctor myself ). I do not trust in free AVG – they remove specific parts of detection algorithm (e.g. rootkit detection ) to make people buy full version. And ALL antiviruses lag in finding new versions of Rogues like antivirus soft.
Personally I have quite bad experience with Spybot – their definitions are not up-to-date usually. Thats why I am so skeptic about it. Quite often parasites are added weeks after other anti-spyware programs. Though it is usually difficult to fetch and analyse all versions of parasites. Thus it is question of luck as well….
Thanks for your comments.
I agree, with the lack of trust you have in Free AVG or almost all large corporate free anti virus company’s or free versions they may have. But i suppose the thing we can learn here is that there might not be ONE single answer for everyone in solving their virus problems. Possibly the best advice any of us could give is to keep trying various programs that you trust. Fact is your right to advise a constant PC protection software and everyone should have it, if your like me, then its probably your own fault that you have a terrible virus.
Thank you for the quick reply´s and conversation 🙂
Maulum: Thats why I offer free instructions and allow comments with people solution… Thanks for discussion again.
I tried all of the steps to get rid of antivirus soft, but I cannot connect to the internet in order to download the removal tool. My computer has a network adapter that picks up a signal from a modem connected to a computer inside my parents house, which is about 60-100 feet away. How am I supposed to connect to the internet?
This is a temporary fix that will allow you to work on your computer until you can get a permanent cure for Antivirus Soft:
Do a System Restore. I contracted Antivirus Soft and it was so bad I couldn’t even get on the internet. It wouldn’t allow me to connect. It wouldn’t allow me to run my virus and malware detection software. Their boxes flashed up every few seconds, and I was getting constant and continual “invitations” to go to their site for the cure. I did a System Restore and all problems stopped. I can now use my computer freely in any way I normally have used it. I know the virus is still there, and I will get rid of it when I can, but for now it is, in all respects except in fact, GONE!
I bought this program, but I am afraid this program would monitor my computer and personal information. So is it better to remove this antivirus soft?
Or… should I leave it in my computer?
Also whom should I ask to get a notarize this program, so I can get my money back from bank ?
Mary : contact your bank. You should not leave it on your PC as it will stop real security programs from functioning, might install other malicious programs and is risky in general.
@admin
i have got a virus its antitvirus soft and cant get rid of it
I hired a computer specialist to get rid of this virus. He succeeded by doing the following. He downloaded the program Rkill to his computer, then transferred it to mine, and created a desktop icon for it. Then he rebooted my computer, and BEFORE THE REBOOTING WAS COMPLETE, he ran Task Manager to see what programs were reactivating. He noticed a rogue program was in the process of reactivating. The file was entitled “C:\Users\Hal\AppData\Local\cisixw\wvrksftav.exe” but by now the name might have changed. BEFORE THE REBOOTING WAS COMPLETE, he ran the Rkill program, which terminates all programs that are in the process of reactivating. Then he deleted the rogue program. This virus can only be deactivated DURING THE REBOOTING PROCESS, because the virus reactivates each time the computer reboots. The virus was not detectable by Malwarebyte’s Anti-Malware, by Spybots, and by Norton Security. The key is to run Rkill DURING THE REBOOTING, and then to delete the rogue file.
Hal : It is likely that your specialist missed a rootkit If the virus can not be detected after booting system. You should scan with rootkit revealer/gmer. Or spyware doctor.
Thank you for the advice re: rootkit revealer/gmer or Spyware Doctor. I am not knowledgeable about computers. Taking your advice, I tried to download gmer, but it shut down my computer in the middle of the download. Then I ran Spyware Doctor and it detected 43 infections of the TrojanFakeAlert variety. I then purchased the Spyware Doctor software required to remove these. Do you think that Spyware Doctor’s removal of these TrojanFakeAlert infections should solve the problem with rootkits?
VERY SIMPLE! turn computer on with safe mode with networking. RESTORE! gone. no joke so please stop wasting ur time lookin to download things because this clears it in about 2 mins and 23 seconds…
Hal: in many cases, yes. Spyware Doctor detect most of rootkits, though these are most difficult type of parasites to detect – they are created to be as undetectable as possible. Though in your case it is clear that your PC specialist has not cleaned infections fully, it had disabled portions of it – 43 traces of trojans is a bit too much.
Rajdeep : wrong. It is not as simple : many trojans are dormant or are able to infect restore points. Restoring might work if the PC is completely blocked from executing executables, but you can access restore function (it is rarely the case). Restoring will not remove parasites, it will not close the security holes parasites used to infect your PC. It will just disable them temporally.
Hi, My computer became infected with Antivirus suite yesterday evening. I am not educated at all when it comes to computers. Having managed to locate what seems to be the original file that installed- “jwxsxawtssd” – I went into user permissions and by trying to deny access to it- and i sotn really know if this is what helped- when I shut down and loaded up my computer the pop ups and all the warning windows have not come up once.
I therefore decided not to download and run rkill, as this seems to be for those who need a breather from the pop ups to have a chance at running a malware removal program.
I tried malwayre bytes anti for full scan both before and after updating its software, but no trojan found. I also used it to scan the file itself but nothing. I should stress here that I did not run the malwarebytes in safe mode as i read other posts where those with wireless internet seem to struggle with their connection once running windows normally.
I also have not tried to use system restore as again it does not appear to remove the program.
I dont want to delete the vprefajrd folder (where “jwxsxawtssd” was located in) in case this causes it to replicate and I have to then hunt it down. I have the same fear about removing/disabling it from my start up programs.
On the whole my computer is running at about 80% efficiency, but i dont dare access any personal password protected sites in case there is a key logger. I really want rid of this
Any tips/suggestions on what to do?
Thank you to everyone posting their tips as it really helps when you have no idea what to do.
btw- I found the folder vprefajrd in: – appdata- local.
To give an indication of performance- I use moxilla firefox and that is running a little slow than norm, but I also live in a poor area for connection and with it being easter weekend this could explain it.
I also have seemingly full access to all programs so thankfully unlike other unfortunate posters, I cant say that since yesterday I have had any problems. Although before i played about with the user controls for the offending folder, i had non-stop pop ups so i dont know if that helps anyone to know chaning the user access for the folder may have stopped the pop ups- BUT NOT deleted/removed the virus
As a lifelone martial artisit, my mind has at repeated times gone to dark thoughts as to the fate I would leave these scammers if they fell into my hands.
Good luck guys with your computers!
Attn Admin- I tried downloading the spyware doctor as linked on this website- the download finished after “freezing” several times and the wouldnt run as it says the files are corrupted.
I then downloaded the free trial version of SpyDoc from pctools. After installation, i tried to run the program for the 1st time. It insisted on first running smart updates, and located “Database Updates 73.87Mb” or so of updates it needs to first download- the problem I have is that the downloads wont complete. After a slow download process- it says “Smartupdate encountered a problem with the server”.
Is this because I a changed the server settings on I.E.? under tools, connections, LAN?
or is this the virus stopping the download?
Any suggestions on how i can get spyware doctor to get up and running?
Rob : I would download on other PC into USB stick or use network share if available. Also, if you can, download it in safe mode with networking. We serve a version with definitions (though it is strongly recommended to update after download).
My computer became infected this morning and XP Security denied all access to the net as well as giving a string of dire warnings. Having read all your comments on my wife’s laptop, I tried rebooting in normal mode and as quickly as possible went to system restore and went back a week. Early days perhaps, but it seems to have worked. A full scan with Malwarebyte found 11 infections.
My laptop got infected this afternoon.I ran Malwarebyte and it found 1 infection so I remove and I restart my laptop and when I log in I get a new window that says Run or Cancel.Whenever I click Run Antivirus Soft starts up again but when I click cancel it doesn’t start up.Even though its in my power whether or not Antivirus Soft runs or not it still bothers me that its still there.So is there still anyway to remove still?
Hi everyone, my computer became infected either early this morning or late this afternoon, came home from school to find my compute stalled with mass pop ups and errors from antispyware soft or something like that. i had Avast already running prior to it loading, ran my version and found nothing. started in safemode and ran Spybot and avast. Spybot found a bunch of tracking cookies but that isnt the problem. just downloaded latest malware bytes and will run that in safemode. Ill update here when i fix this. Trying to not do a system restore.
everything was fixed via malwarebytes. just remember to go to internet explorer and unselect proxy.
Thanks everything sorted now
Seems my home PC got infected with this – the computer will not reboot into safe or normal mode (usually just keeps rebooting itself, but sometimes with normal mode it gives a blue screen error of UNMOUNTABLE_BOOT_VOLUME. Also gives a blue screen error when I try to boot from a good CD boot disk. Can’t even get to the hard drive – any ideas on what to try? Thank you for any help!
Mark: Connect hard drive to other PC (with good antivirus protection), fetch all the files you need, then reinstall time. After that do not foget installing good antivirus software, as it is more than likely your PC was infected with rootkit…
@sarah
thanks for your help.
I don’t know if this will help anyone, but a temporary solution to blocking this malware seems to be going to ‘properties’ when you see it in your taskbar, then denying access for the current user under the ‘security’ tab. Upon restart, the program will not be able to run and you can manually delete the files.
I got hit. I’ve done rkill and MBAM full scan three times now. I’ve tried Spyware Dr also and nothing worked. Maybe I’m missing something. Antivirus soft has an address in London. I did not purchase the removal but did notice a London paypal reference.
CLASS ACTION LAWSUIT!!!
Hi, a friend of mine had her pc infected with this, previous versions of this virus have been cleared by using superantispyware, but this version seems to have evolved, its taken 3 days to sort out, I used superantispywares portable version as malwarebytes would not run – the key for us was to run in safe mode and start whichever spyware program straight away, before the virus started to run. Once we could update superantispyware then things seemed ok, I also then ran malwarebytes and between the two its ok now. an absolute nightmare!.
@rsarrock
This worked for me after a few annoying hours of searching, thanks for taking the time to post, much appreciated!
I picked up the “Antivirus Soft” virus and struggled for a couple of hours to rid my PC of it. Fortunately, I run eTrust Antivirus software and it took a couple of scans before I was at least able to access my System Restore. Once that was in place, everything seemed to be working fine. I hate these people.
@sid
mine won’t load system restore!! How did you get to do yours??
Hey everybody. I know how to freeze the program and get everything working. NOTE: It does NOT remove it but freezes it instead.
Start Computer
Antivirus Soft takes about 15 seconds to load when you log on, so:
Go to Run(QUICK!) and type in ‘msconfig’
Then go to the ‘Startup’ Tab, and uncheck the one that ends in ‘tssd’
After that, click ok and restart (A diologue should appear),
Then it will no longer open at startup. Your programs will work, and you can use whatever you want to try and kill it then. REMEMBER: I have only frozen it, and you must do this VERY quickly.
my laptop got this last week, so I reinstalled all my OS via disk on the advice of my dads friend, and although i went for the clean slate option, its actually saved a file with all of my previous files I thought had been deleted. does this mean that its still there but dormant and will simply strike again? seriously CBA! 🙁
Okay I really appreciate this site. However I seem to have a strange problem. I managed to disable it, I went and altered my registry, updated all my antivirus, adaware, spybot, and malware bites and it caught some other items. Everything is running good, did a restore to a week ago…But I can’t get into my C:\Documents and Settings\user Files! I keep unchecking read only and it keeps resetting it! Very frustrated.
I got rid of Antispyware Soft on my computer but my internet explorer doesn’t work. I can log in as the admin and it works there so there’s something in my user registry that is blocking me from using the browser. Can anyone help?
Joe : Can you launch IE or it is just not opening web pages ? If the first, you might still have an infection. If the second, remove proxy server settings and clean up your hosts files, the virus itself is probably gone.
Owned it within 5 minutes with Norton :D. (USE NORTON!)
I just removed antiviruos soft and my computer seems to be fine? I booted up in safe mode as explained above. Then I did a system restore back a couple of days. Rock On!!!!!!!!!!!!
Cameron’s idea worked….
…disable the proxy bypass and you will be online again.
Of the 4 comps I have running at home, the only one infected by this bothersome pos was the one NOT running superantispyware.
Fixed that now.
Luckily system-restore worked for me.
hey there,
my gf has used my credit card to buy this shit!
and of course i told her not to and buy some well known product but no.
what will happen to my credit card now? just a one off payment or will money keep comng out?
should i cancel my card too?
hope to here back from you!
thanks Rick
Rick: talk with your bank. In some cases these charges can be reversed.
Pretty obvious when you get this on your computer. I was able to find system restore on a clean boot, and create a shortcut for it, then reboot it again, and got system restore running before this POS started. After restoring, system appeared clean, but I have downloaded and am running MalwareBytes anyway. I do hope Avast is as good as I heard. Thanks for all of the info in this thread, it really has helped.
Jebus Grimely!
This Stupid Virus is Awful! I just got it tonight, I have tried all the restore and malware scans mentioned to no avail. I tried to find the registry locations listed in the top of this site and I could find all the pathways up until it said “random characters”. the run file only had a little piece of paper with an “ab” on it. I am not tech savvy, though with instruction I can figure it out if someone has the time and patience to explain to me exactly how one goes about this process for windows 7. I need my computer for some non-profit work, and the planning for a summer camp for at risk youth. If you can help my computer you de facto help the community at large. Thank you for your time and patience!
Most Sincerely, Kyle
Wow…got this piece of crap yesterday…it’s really nasty. Tried all of the scans that were available to no avail…I really appreciate the help I found here…rebooted in safe mode…updated malwarebytes…ran a new scan…looks like its gone…thanks again. It’s really silly that these clowns aren’t tracked and prosecuted…
@G-ro
This worked for me. I started my comp. in normal mode and nothing popped up. How do u know if it is completely removed from the comp.? Is there something we can check?
Cherry: Do a scan with spyware doctor / malwarebytes. It is good idea to have both antivirus and anti-malware programs running all the time to reduce possibility of infections.
Awful Awful spyware!!!!!!! I dont know why i keep getting this every couple months it seems to bypass my virus program. I have nod32. Just use combofix it solves the problems
The guy that owned the company that created this virus is on the run! He’s been in court several times now for similar issues but he is now considered a fugitive in the United States. If you look up “antivirus soft” on wikipedia it will take you to a page titled “MS Antivirus” which explains the background behind this virus and other related viruses, and then click on the name Sam Jain at the bottom to get the wiki page on him too. He’s one of a few different people involved in several criminal internet scams. Both pages provide a background on the companies behind this whole mess. Just thought I’d post this so everyone who has suffered with the dreaded ANTIVIRUS SOFT can get some info.
This worked for me. Many Thanks for that.
So.. I was a little proud of myself yesterday because I thought I had got rid of this annoying virus for good. I started by disabling programs from starting in my startup via safemode (run> msconfig> choose selective startup) Once I rebooted in normal windows, I noticed that the virus did not attack with its popups. (It didnt mean that it was gone, it just meant that I stopped it from loading so that I could access all programs and files that the virus was preventing me to access. I then opened Internet explorer and went to tools> internet options> connections> LAN Settings(bottom tab)>and unchecked the proxy server settings and checked the automatically detect ssettings box, it allowed me online for one second then the virus re-altered my connection settings. I logged-off, restarted into safemode with networking, downloaded malwarebytes’ and ran it. It found a lot of infections and got rid of the virus. I had a little trouble connecting to the internet after getting rid of the virus but after playing around in the registry I was able to connect! I was online for a good 45 minutes until that evil friggin virus had re-installed itself into my system. Well this time its not so easy. I ran malwarebytes again, no infections found! So I deleted weird registry ties, switched my internet connections again because i knew it would be altered. Fail!!! Im still not able to access the internet in normal windows.(only safemode with networking) ive spent my entire day trying to remove this thing and im at a lost. PLEASE HELP!!!
Dunno if you guys have discussed this yet, but I just got the damned thing and it’s really been a pain to get rid of. Malwarebytes trial has found a lot of infected files and removed them, and for some reason I’m unable to turn on my Microsoft Security Essentials. One weird problem I’m having is being unable to start up Windows properly though, without safe mode. Should I just assume there is more lurking in the dark corners of my computer, or is there something else? When I start it in safemode, I need to cancel SPDT.sys from loading to get into Windows, and I know this is because I have Daemon Tools on my computer. Any advice?
So I get this virus tonight. It sucks. I try to go into safemode,and I cant even move my keyboard when trying to select the option to go into safemode, i can only start normally. What do I do? It wont let me open anything. I cant get on the net. I can browse folders though. thats it. Do I need rename any folders, then delete them? Somone help me. Were dealing with a WoW addict here…
Josh: read this guide about fixing internet connection : http://www.2-viruses.com/how-to-fix-google-results-hijacker-google-redirect-virus-problem
I can not get my computer to boot in safe mode. Help!!!!
I got this virus on Saturday, May 29 2010. My first try to remove was manually. I failed. The second try was using MalwareBytes. It removed all the items I manually removed plus and additional .exe. MalwareBytes seemed to work, but the virus returned (actually never was fully deleted) after about two hours…It failed. I then used STOPZilla which removed all the items MalwareBytes removed plus 4 trojans hidden in resore points. I have been free and clear for 48+ hours. I will not go into what I did manually per it can be found by a google search. However below is the log from MalwareBytes. STOPZilla does not supply a printable log. I recommend STOPzilla.
Malwarebytes’ Anti-Malware 1.46
http://www.malwarebytes.org
Database version: 4158
Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 7.0.5730.13
5/31/2010 11:12:36 AM
mbam-log-2010-05-31 (11-12-36).txt
Scan type: Full scan (C:\|)
Objects scanned: 241506
Time elapsed: 25 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cogogtsk (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Rich\Local Settings\Application Data\syssvc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9AE12167-80ED-4D49-B20A-FB366B68C698}\RP316\A0049051.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9AE12167-80ED-4D49-B20A-FB366B68C698}\RP316\A0049052.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rich\Local Settings\Temp\e.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rich\Local Settings\Application Data\wfusqcpfm\inojtqjtssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
how much money is actually taken if product is bought
Like I bought the promoted package prsented by the spyware thing and i just wanted to know how much money is actually taken and stuff… Like my computer wont even allow me to open my icons!!!! like when i click on iTunes or even solitare a pop up comes up and says that it cant be opened purchase spyware thing… So i did and now i read this and got scared help
I got the Antivirus Soft virus a week ago on my laptop. now windows will not start, even in safe mode. Are there any rescue CD available that will detect this virus?? help!
@A. Sanchez
Yes, my wifes computer got and now it boots up porno and viagra sites. any way to prevent it once i get if off of her system?
Shark : Good anti-malware programs like Spyware doctor or Malwarebytes (commercial version) have real-time protection modules. In most cases they prevent infections like this.
I got this insidious virus last week, late enough at night that I didnt have ready access to another PC. Like many of the afflicted, I couldnt Google for help or download any scrubbing programs.
I made the decision to then just bite the bullet and purchase the “software” and take followup action as needed. Kind of ironic turn of events for the vendor, but I love a good irony. I plunked down the $49.95 on a low-balance debit card, and the bogus AV program loaded like a charm…lo and behold..I SOON HAD MY PC BACK!
First stop: Google, which was inundated with various warnings (now they tell me!) and suggested remedies in tons of blogs just like this one.
Malwarebytes free version did the trick, and I also went into my registry and manually edited / deleted remaining affected files. PC was back to normal in a couple hours, faster than before actually, thanks in part to the registry scrub. Then my only remaining business was to wait for the transaction to clear at my bank; after a 10 minute phone call to claims dept today, I had my $49.95 back.
I politely emailed the vendor via reply to the purchase confirmation and advised I deleted their “product” and was blocking the transaction. I do not expect a reply.
Check post #21 if you have tried all other solutions yet still have this virus
@Howard Mundin
Try to create a new user with adminstrative privelages and then delte the other account. Therefore it should removethe antiviru s sioft
Got hit with this AntiVirus Soft virus yesterday. It actually hit me twice. Once about 3 months ago. Thought it was a legit problem and like a sucker I bought it. Yesterday after installing the drivers and software for the Microsoft Lifecam, it came again! This bastard hijacks everything, would not let me go to ANY website except theirs to buy it, and keeps applications from starting (either they close immediately or you get a warning that it is “infected”). Kept getting popup warnings that my system was infested and under web attack.
A reboot in safe mode and a system restore to a point last week fixed it, but just to make sure I downloaded the recommended utilities to scan and did a full one. Took well over an hour, but it found 11 other threats from this bastard of a virus.
It seems to lie dormant until you make a change (install software or hardware) and that is what kicked it off.
So even if you “buy” it like a sucker I was, it will return for more. Give it three months if that is the package you bought. You will get hit again if you do not remove it completely.
it will not even go into safe mode what can i do?.
i have a trojen some sort of virius. it seems impossible to remove. i am also scarred that i have my card details and stuff on my infected pc.
Some Antivirus companies have boot scanners, for example http://www.avira.com/en/support-download-avira-antivir-rescue-system . Also, in some cases you can rename programs to .com instead of .exe and launch them