Antivirus Live - How To Remove?

Type: Rogue Anti-Spyware

Antivirus Live is a fake anti-virus program and the successor of the notoriously popular Antivirus System PRO rogue. AntivirusLive looks the same as it’s “brother”, it’s functions are nothing out of the ordinary: this parasite relies on Trojans-Downloaders and drive-by downloads to enter the system, and relies on misleading advertising to trick users into purchasing it’s “full version”, which doesn’t really exist. Do not purchase this bogus antivirus application and make sure to get rid of it as soon as possible.

Once inside, Antivirus Live floods the user with pop-ups and fake system notifications, supposedly to inform him of an infection or multiple infections present on the system. This information is false, and even if it wasn’t it should still be ignored, since Antivirus Live has neither the ability to detect nor remove threats. Antivirus Live performs fake system scans, which mark harmless files as threats in hopes of scaring the user. After-wards this parasite urges to download the full version of Antivirus Live, which is supposedly required to remove all the infections on the system.

Antivirus Live tries to protect itself by blocking legitimate security software, hijacking Internet Explorer, and disabling certain system processes, such as Safe Mode, System Restore, Task Manager, and Registry Editor. If Internet Explorer is the only web browser you have, then you may not be able to download or even open security-related or antivirus software websites. And of course, Antivirus Live will block any attempt to download anti-virus/spyware applications. Use Firefox, Opera, Chrome or any other web browser that you have. If you have only Internet Explorer, then do as follows:

1. Open Internet Explorer. Click on the Tools menu and then select Internet Options.

IE Internet Options menu screen shot

2. In the the Internet Options window click on the Connections tab. Then click on the LAN settings button.

Connections tab in Internet Explorer screen shot

3. Now you will see Local Area Network (LAN) settings window. Uncheck the checkbox labeled Use a proxy server for your LAN under the Proxy Server section and press OK.

IE Internet Options menu screen shot

If you are still unable to open certain websites, repeat the above steps again or use another browser if you have.

Next, you have to end Antivirus Live process. Open Task Manager and look for [random]sysguard.exe, for example mscqsysguard.exe and terminate it. If you can’t open Task Manager then download and run Process Explorer.

IMPORTANT: Do not reboot your computer after running Process Explorer. Otherwise, Antivirus Live will start again.

After that SEARCH for the processes you stopped on disk and remove files

We recommend SCANNING with spyhunter (alternate link ) or other reputable spyware remover after that to make sure you HAVE succeeded in cleaning everything of Antivirus Live.

Antivirus Live is a scam and should be treated as such: do NOT download or buy it and remove Antivirus Live immediately upon detection.

Automatic Antivirus Live removal tools

Note: Reimage trial provides detection of parasites and assists in their removal for free. You can remove detected files, processes and registry entries yourself or purchase a full version.  We might be affiliated with some of these programs. Full information is available in disclosure

Manual removal


Important Note: Although it is possible to manually remove Antivirus Live, such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using Reimage or other tools found on


Antivirus Live screenshots


Related videos


About the author

I am an attentive virus researcher. My interests include discussions about deceptive online content and rogue software applications. All of our goal is to minimize the risks that many people encounter during browsing and help them figure out the main hints that might indicate that a program or a website is of a fraudulent nature.

November 14, 2009 16:26, August 31, 2010 22:14

230 thoughts on “Antivirus Live

  1. I cannot locate any of the processes, registry entries, or files on my system for Antivirus Live. However, the browser window still pops up and starts scanning my computer every boot-up. Then it stops, and I cannot access the internet anymore. The browser windows that pops up and starts searching is definately Antivirus live. Any ideas?

  2. Start a task manager and list processes running under your user. Skip processes you know or can find on the net. List them and try stoping them or paste here.
    Antivirus Live MIGHT change its process names to confuse people.

  3. I had this problem just yesterday and solved it. Admin your idea doesnt really work unless you start the Task Manager on boot of the system. Otherwise you can’t open Task Manager or any other application without the virus saying “____ is infected”

    I have an AMD64 running AVG Pro, Malware Bytes and Hijackthis and I still caught the virus. I got it from visiting a popular website. I think it came from a banner ad on that site but because I’m speculating here I wont mention them.

    Here is what to do:
    Close your computer down and restart. Boot up your system and if you’re quick enough you should be able to start Chrome or Explorer as well as your internet connection. I’ve found that if you wait a minute or two the Antivirus live virus pops up and you cant do anything. Once you’re in your browser go to:
    http://*** and download “Combofix” from there and save it to your desktop. Do not click “Run” if you do you wont be able to install it due to the antivirus virus preventing you. Next restart your system again. When you get to your desktop again immediatly run Combofix.

    Click Yes at the Disclaimer Warranty screen. Next it will start backing up your registry and you’ll get another screen prompting you to download “Microsoft recovery console”. You likely wont be able to do this as your not connected to the internet. If you are connected and you can click yes then great. If not, dont worry just keep going and click “Yes” when Combofix asks you if you want to scan for malware.

    Combofix will start to scan, be patient and let it run. Dont start or stop anything. After a few minutes it will tell you that its restarting your system and when your system loads up again it will continue the scan. Once thats done you should be clear of the antivirus live virus. then you can connect to the internet and run Combofix again this time downloading the Windows Recovery Console. Let it scan and restart your system and voila!

    Nothing else that I’ve found on the internet will prevent or take this off of your system. After 5 hours of working on it yesterday I was able to finally clear it in about 15 minutes with combofix.

    If what I wrote is at all confusiing then follow the instructions on the link I posted. After that come back here and let me know how it worked for you. By the looks of it there are a lot of people over the last few days with the same issue.

    Good luck!

  4. Nasty bit of business here. Says the following systems are infested and won’t allow access to them: spdoc.exe, taskmgr.exe, rundll32.exe, can’t access my external drives to restore windows….

  5. For your internet…. In your internet browser, go in tools-> internet options-> connexion-> network parameters and then desactivate the proxy server. That’s why your internet isn’t working! I had this virus ,I did it and my browser is working now. Don’t forget to scan your computer with a good and real antivirus to quit it properly. Good luck!

  6. Sonny :
    1. I hope you got paid malwarebytes. Free malwarebytes is NOT a protection for a PC. It is good remover though, we recommend it as well.
    2. I can not recommend AVG, though. I am a big fan of NOD32, though AVAST, AVIRA, Kaspersky are good choices. Can’t tell same about AVG.
    3. Have you tried spyware doctor, superantispyware? Combofix is not a full remover.
    4. I have talked with some guys developing one security product recently. They claim hijackthis is no longer a good way to check infection places, many of recent parasites can hide from hijackthis scan.

  7. I tried to download the “Combofix” program for another computer and install it from my jump drive, but I can’t open up that drive on my infected PC: It gives only the “what program do you wish to open the file with?” as though my driver were an unknown file type.

    So then I tried to go to Internet Options and change the Proxy settings so I could directly download it, but any time I click on “Connections” tab Internet Explorer locks up. The same thing happens if I run it straight from the Control Panel, it just freezes the options screen.

    The only thing I managed to do was run “msconfig” and change the startup files, but that doesn’t prevent it from appearing… I’m thinking I should just take my PC in to a professional? Is it worth saving/transferring my files or is there a good chance the virus will tag along? Should I wipe my whole computer? Q_Q

    Sonny: I’m pretty sure it happened last night while I was navigating a popular site as well, I wonder if it is from the same one? :O

  8. Many thanks to all your comments, especially Sonny. I had figured out that I had a brief period of time upon booting to get one try in. Finally got to Task Manager and was able to stop the process – named mkfusysguard.exe. Once that was stopped I could download Combofix. I tried spdoc from this website (downloaded to a flash drive from another computer, had to copy it to desktop of infected computer, and got it installed, (took 3 reboots) but it locked up after that. The Combofix seemed to stomp out the Antivirus. Thanks for all the help.

  9. Wow! 😀 Okay, thanks you guys!! I tried what Neil did, but I didn’t see anything with “…guard.exe” in the task manager (maybe because I changed it earlier in msconfig?), I just ended a few processes I didn’t recognize that were taking up a lot of RAM (dangerous, I know, but ;P). I was able to use Internet Explorer just fine, changed the Proxy settings and downloaded both ComboFix and SpyDoctor. The Antivirus Live thing didn’t pop up the whole time.

    I ran Combofix and it didn’t have to restart my PC at all so I was a little nervous if it worked, but the log it gave me looks good: I recognized the registry entries and files that were mentioned as needing manual removal. I ran SpyDoc afterwards and it just gave me a few minor tracking cookie alerts. So I think I’m clean?? I haven’t restarted it yet, I think I will back up all my files first(now that I can again!) just in case, but I am cautiously optimistic.

    Thanks everyone so much!! ^__^

  10. Antivirus live hit me yesterday. After reading all the comments and various instructions on how to remove it, the time it takes to get the job done, I opted to purchase Spyware Doctor. Once I was able to get an internet connection and download the program and then purchase it the virus and all its pals were removed. Be warned that just scanning your computer with a trial run with this program is a waste of time. Once the scan is completed the program will not allow you to remove any of the bad guys until you purchase the program for $40. The $40 purchase will get you the license for 3 computers. The program did remove and restore the function of my infected computer and in the long run save me a bunch of time.

  11. It absolutely beguiles me that there are so many creative people in our society today that are destructive by nature. People that would rather destroy, pillage and plunder rather than build something productive. How do you wrap your brain around creating something like this, suicide bombers, and the likes of people like that. I think by nature our human species is good. But, there are sure a lot of evil mutants out there. Beware!!!

  12. I got the same virus and this is what I did to remove it manually.
    1. restarted the computer, after logging in and before the antivirus live program quickly get to task manager.
    2. when the antivirus live program comes up, click into it and it will also appear on task manager. End task.
    3. locate the virus with search and delete it
    4. go on internet explorer, find tools, internet options, connections, LAN settings, and uncheck everything

  13. I would like to thank you for the link to Combofix it worked perfectly in removing this problem that one of our users had on his laptop. Sonny did not get lucky Sonny hit the nail on the head.

    Thanks Sonny

  14. thank you very much Sonny, you are “red dragon”! We spent 2 hours to looking for something useful to remove antivirus live…and only your advise really helped… Thanks.

  15. I cannot get any of this to work it seems to have total control I try the task manager it never pops up, I tried the LAN process to no avail and cannot go anywhere on the internet

  16. I finally removed mine after looking at startup programs in msconfig (run > msconfig > startup tab). There was a random name for a program which was located at C:\Users\”username”\appdata\local\”random folder name”\”random letters”sysguard.exe. Finally deleted it.

    The instructions on this site above were the most complete by far. Other sites did not help my quest for a normally functioning computer.

  17. Awful virus.

    Managed to stop Antivirus Live by following Admin’s advice – though had to modify this a little. Needed to restart computer and as Sonny advises, quickly connect to internet. Then managed to follow Admin’s advice to change LAN settings followed by Task Manager. Found sysguard.exe file under process tab (tip – if you can’t see it immediately look for the programme which is using an increasing amount of storage space, everything else should be relatively static). Once I’d found this I clicked end process that stopped Antivirus Live dead in its track (by the stage I got to Task Manager Antivirus Live was sending up loads of error pop ups and trying to connect me to its own and adult sites). Anyway once I’d clicked end process on task manager I followed Sonny’s advice and used Combofix to remove it. Am now making double sure by running MalwareBytes.

    Thanks for all your help guys – I can now get back to some work after two hours wasted on this.


  18. I’m having a huge problem. I cant access: spdoc.exe, taskmgr.exe, rundll32.exe, can’t access my external drives to restore windows….

  19. I tryed to rename is and now it says the file sss.pif.exe is infected. DO you want to activate your antivirus software now?
    It also rejects McAfee and any real antivirus. Please help.

  20. Abdus was right, go into task manager`quickly before antiviruslive has a chance to get started. Watch Task Manager as the virus screens pop up and that will help you determing which file it is. Then follow everyone else’s instructions. Thanks for the help!

  21. Hi Guys, this is what i did and it’s same as Kella’s procedure. I went to msconfig and saw an unusual program called (ffimsysguard), i went where this files resides and deleted the whole folder. I rebooted it and the problem was gone. Hope this helps.

  22. using kella’s advice of the msconfig helped massively by deleting the process file! however combofix appears to be down now! can’t download it at all! absolutely livid about this infection…what devious little russians these people are! Thanyou kella but what else can I do to make sure it has gone for good!

  23. followed neil’s instructions to open task manager fast and stop the virus, and i am running a scan with norton 360 but will that remove the threat?

  24. I’m currently running Anti-malware after downloading this beast last night myself. Yes, Kella’s advice seems to have worked, but I was able to stop the false problem messages by killing ‘kvoop.exe’ in the task manager. (And yes, I had to quickly start the task manager immediately after logging in to my machine, or else I would have gotten the error “tskmgr.exe is infected” and not started the task manager.) I removed a folder called “spckcq” from my “Application Data” directory. This contained the “…guard.exe” file that was getting launched at startup. I noticed there are 3 executables in my “C:\Program Files\Manufacturer\Endpoint Agent” directory: CUI.exe, edpa.exe, and wdp.exe. These are currently still running, and I’m not able to stop them. Hopefully re-starting will resolve this, but I’m also hoping the anti-malware will catch it and remove it as well. I will update when done.

  25. Folks, I know absolutely nothing about computers and currently have this insidious virus on my computer. The solutions posted by users are unintelligible to me so I wouldn’t know how to carry them out. I reckon I should therefore buy a product that can do this for me. Is the Spyware doctor recommended by Butch (thanks Butch!) the best thing out there or are there better products available? Thanks in advance for all your comments. Ger

  26. After finishing the malware scan and removing the problems, I re-booted. These 3 programs are still running, and I can’t stop them from the task manager: CUI.exe, edpa.exe, and wdp.exe. I also noticed 2 instances of kvoop.exe running, which I was able to stop. How do I get the others to stop?

  27. Hey my computer got infected with antivirus live yesterday, will i still be able to use combofix and spydoctor to wipe it off or will it have eaten through my computer? I don’t get what the virus is – what does it do? I’m not confident in using combofix as it says you need to be supervised by an IT specialist to use it cos it can damage your files if anythin is done wrong =/

    helpppp 😐

  28. btw i have mcafee but when i did a scan on boot (before the pop ups kicked in) it still didn’t find anything..

  29. RUN/MSCONFIG/Start up tab worked! Allows you to find the sysguard.exe and stop it. Should be logged in as Administrator user account. To delete the virus you need to adjust folder options in order to see the “lkwisysguard.exe”. Go to : My Computer/Tools/Folder Options/View/ Check – Show Hidden Files / Uncheck – Hide Protected OS Files. Thanks for the help and good luck to those who need it.

  30. Hi guys a few questions. Firstly, combofix is down, can’t download that. Second, there are absolutely no files in task manager with sysguard.exe, and in msconfig i don’t know how to find, or change the name of any programme. I know yogysguard is a bad one, but it says i have to be administrator to get rid of it…which i am. Need help badly.

  31. Used Kella’s advice, got into task manager quickly on restart and stopped all dodgy looking exe’s then did the run>msconfig etc, then searched on c drive found the bugger and deleted it, then restarted and opened IE and changed the proxy settings, downloaded malwarebytes (combofix not available) ran full scan and deleted 5 infected objects. All good again, Thanks guys/girls?

  32. Hey sonny’s advice worked for me thank God!!! I was so frustrated nothing else would work and I have excellent antivirus software on my computer and I still got it.

  33. @admin

    Hi there,

    I posted earlier today re this problem on my PC and you didn’t show my comment. Can you please tell me what I should do as I am now two days without my PC and I am self-employed. I am happy to buy whatever programs are required to resolve the problem as this is costing me both hassle and money. If you don’t want to help me, that’s fine. But I would appreciate a response indicating this. Thanks, Gerry

  34. OK…what am I doing wrong? This is what I cant figure out. I located the ___sysguard.exe and went into msconfig, unchecked the box for the start up for it. so when I turn my laptop on, it wont start (problem temp. solved). Im sure this is still on my computer. I would like to manually delete this. My trouble is trying to locate it. I can see the file in msconfig C:documents and setting/shayne/local…and so on. but when I search for it in my C:file, I cannot find it! is it hiding? I have looked in many folder and I have also done a search for certain words in that file. Anyone know where to find this and manually delete it?

  35. Declan : try booting in safe mode. If it fails, you would have to fix registry manually, as Antivirus Live messed with your permissions.

  36. Most of these methods work in one form or another. I rebooted to safe mode and ran the latest McAfee Stinger and it removed it all no problem. The main problem is how to protect yourself from it in the beginning.

  37. I cleaned it out in a few minutes, after reading the notes, I have seen and removed the earlier version as well.

    The key is to beat the program to the task manager and end it! Then things run normally…

    I noticed a few things, this infected only one of the users, there were only about 5 entries refrencing *sysguard* in the registry.

    I cleaned out the registry, removed the .exe (which was in the users’ application data directory) and all is well.

    It is almost exactly the same as the previous one, just new screens and a name change (renaming itself routine)

    Good luck!

  38. I rebooted my computer in safe mode. I un checked the antivirus from startup and I purchased spyware doctor and all is well. Sorry if this is not technical enough i do not know that much about computers

  39. Nothing works… In my first attemps I was able to get internet explorer going but now, even if I’m not wireless it say that I’m not connected. I go to tools, and Lan and uncheck the proxy but after, I can’t do anything. If I go in my task manager AVL pops up. I can’t get process explorer either. I’m no computer wiz… It’s my father-in-law computer and I’m using mine to try and surf the web for a solution… any suggestion? thanks!

  40. I fixed mine by going to another profile within my pc and updating malwarebytes and running a full scan. It found 33 infected objects. I cleared them then had to fix the proxy settings above and boot and it worked!!!

  41. Me again,

    I went in safe mode, downloaded Malwarebytes, cleaned the computer, downloaded the update of AVG cleaned the computer (again)…. No more AVL but the computer won’t recognize the wire for my modem and says I don’t have a connection. It works fine on my other laptop… I checked the connections parameters, change the default setting so it won’t dial my in-laws net provider number… still explorer doesn’t work… Please.. anyone… I’m about to make a snowball out of it!

  42. Just got nailed with this today. I have the above symptoms and then some…

    Was able to open task manager and kill the *sysguard process. Not seeing the “Antivirus” live window anymore so that’s good but still getting several popups telling me to upgrade and how I’m infected with this, that, and the other. Was also able to follow the help in clearing the IE settings but still getting IE popups. Ran MS config and disabled the *sysguard and wenijalu startup items and rebooted.

    But, maybe I have more than one problem going on. It stomped on my previously installed AVG. I cannot fire up Regedit or launch a system restore–claiming they are “disabled” by the administrator and group policy. Tried to install Malwarebytes’ Anti-malware and get “unable to execute file” on the install. Combofix is not available anymore! (or at least at the moment)

    Mean as hell and seriously frustrating… Appreciate all suggestions!

  43. Just a quick note:

    I had MalwareBytes version 1.40 already on my system and it failed to find this virus.

    I downloaded version 1.42 on a different computer and installed to a USB Key and cleaned the virus after re-booting in safe mode. Version 1.42 will find this virus.

    Anyone follow the virus and able to get a website URL?
    Post it and we’ll get them!

    Thanks everyone for your notes and assistance!

  44. manual steps work. be paitent. use safe mode. clean out everything including the temp internet files or the bleeping thing re-spawns. tooks a couple of hours and a couple of passes but I nailed it without having to go to extreeme measures (like hiring the Best Buy Geek Squad thank GOD !)

  45. I use AVG Free, just got the Antivirus Live, ran Malwarebytes’ in “safe mode” removed Trojan.Fake Alert but when I go to control panel, security center my antivirus say ON and AVG under it but the Antivirus Live “icon or shield” is there instead of the AVG like it was before. there are no more pop ups but have I not removed the virus?

  46. After i get into task manager .. w/e delete the program what do i do now i had the free version of AVG do i just scan and delete or what do i do ? sry i never had a virus untill today and not really smart at computers sry for bad spelling type way to fast and was on labtop but if u can help me out ty

  47. I got this Antivirus Live, but I can’t start the computer, after maybe 30 sec. it get stop…not even the mouse works, so there is no way to download the program!
    Please, any advice?

    Thank you

  48. @Sonny Phono
    sonny phono…. thank you thank you thank you… if i was a woman i would ask you to father my children… after waiting 3 hrs for a piece of tripe to do basically nothing we did exactly what you suggested… though we did have trouble getting onto the net… internet explorer screwed up and kept going offline and so we had to reinstall it but you were absoulutly right… thank you again…

  49. @Sonny Phono
    Sonny your trick worked for me. I downloaded Combofix onto my pen-drive using a different computer. Then I quickly copied and pasted Combofix onto my desktop right after boot and clicked it to starting. I guess I did all this within a minute and viola it worked. Thanks a bunch.

  50. Thanks so much for your directions!!! I was able to get rid of the live antivirus bug. I did notice in task manager the program name was changed. I can’t remember what it read exactly, it started with an “i”. but the ending was sysgaurd. Thanks for posting this!!


  51. @Brit Howell

    so i got this virus tonight. i got everything taken off, but i cant get on the internet, it says its not connected, but i went back and did the opposite of what u told us

  52. Well, I got that nasty little bugger tonight and it took me a little while to figure it out. Here’s what I did to get rid of it. I rebooted and once I was able to I right clicked and selected Task Manager first thing. Then selected the processes tab, looking for the (random letters)sysguard.exe file, selcting that file and then selcting End Process. The file popped right back in and I ended it again. I watched to make sure it didn’t come back and closed out of task manager. This freed me to go into System Restore and go back to another day when everything was running smoothly. The bugger is gone, or at least out of the registry. Computer running fine now.

  53. LostBoy No wonder, bleepings promote malwarebytes instead of threir completely free tool. You need to disable antivirus live processes before using malwarebytes.

  54. True the virus didn’t show up on its own, and I’m sure the “program” is there in some capacity but cannot now be executed. All registry locations are from another day when the virus was not installed. Once it gets overwritten by something else it’ll be gone off the hard drive. I’ve had the computer on overnight and still running smoothly. Sometimes the solution can be as simple as what I did.

  55. Combofix is available again and did the trick! It knocked out about a dozen infected files and allowed me to install Malwarebytes (free version) which found another 30+ infected files… among them rootkit and spyware password logger files.

    Looks to be all good now though. What a royal pain in the a**!

  56. HI, I was able to get Antivirus Live from popping up on my screen after startup. You need to go into “msconfig”, before AV Live starts, in the “startup” tab disable “gxqwssysguard” from starting. Then you will be able to go in and uninstall Antivirus Live’s components.

  57. Thank goodness for this site! Got hit with this yesterday. Getting to Task Manager after reboot and ending the ‘sysguard’ process let me get to the internet to download combofix and spydoc. The two of those seemed to work, but I’m running a system restore (now that I can!)just to be sure.

  58. Thanks for the tips. I was able to successfully remove this shit from my machine by using the brief time before antivirus live kicks in, start the taskmgr and kill the ***sysguard.exe. It showed up under a garbage name, so was easy to find.
    Once killed, I was able to disable to proxy setting in the browser. I used regcure which found it and removed it.
    SpyDoctor found it, but you need to buy the tool to cure.

    Also do a dir *guard*.exe /s and delete this malware physcially from the drive.

    ooh…what a freaking waste of time!

    Thanks to all who contributed with valuable suggestions. Would have been very difficult without them.
    Happy Holidays!

  59. Well, that was an unexpected, rather enjoyable experience.

    “enjoyable” meaning unncecessary, irritating, yet oddly satisfying to complete. It seems, the priorities are:

    1.) boot up Task Manager ASAP, end the [random]sysguard.exe on startup
    2.) Uncheck the “use proxy” box in Internet Explorer
    3.) Use Malware and Combofix together to delete the files (I ran malware first, did a scan and deleted the detected files, got Combofix, ran it, and used malware again afterward to double-check everything was gone)

    Suprisingly easy, once you know what’s going on. Still, how inconsiderate of these bastards to ruin our holiday spirit.

    That being said, many thanks to all who posted on here. It took me about 2 hours since getting it to figure out what was up, and shut it down. If I’m ever this unlucky again, this site will be my #1 resource.

    Merry Christmas all!

  60. Well, got the virus about an hour ago. Been reading everything on this site, and i think i have it under control. Using Malware right now and McAfee, with the Process Explorer running making sure it doesnt pop up.

    It’s been irritating, but like Koffee said, quite enjoyable. I also had a personal guard 2009 infection a while back, Killbox caught that one for me.

    Thank you to everyone who posted, it really helped!!!

  61. It’s actually not a virus. Well, in a sense. It’s as the descriptor says: It’s a corrupted anitvirus software program used to bilk people out of money. DO NOT, I repeat, DO NOT but this program. All it will do is short you 70 bucks and put even more viruses and spyware on your computer.
    It’s actually not too hard to fix if you follow the instructions for manual removal. But you need to end all “sysguard.exe” processes first, which mean you have to hit the task manager first thing after loggin on. If you need to find the registry edit, go to the start button and hit run. Then type in regedit. Be very careful about what you erase from there though. You could kill very important registry files. These registry file will keep the program from popping up every time you log off or shut down your computer.

  62. THANK YOU SONNY!!!! Caught the damn thing today and I couldn’t open rkill for the life of me. Yours did the trick. Thank you.

  63. Antivirus Live attacked me just yesterday. However it wouldn’t let me crtl+alt+del and when I tried to run taskmgr.exe manually or any program for that matter it said they were corrupt and wouldn’t let them open. Luckily I have mozilla firefox so I was still able to access the internet, so I downloaded Malwarebytes Anti-Malware but it wouldn’t let me open any programs as I mentioned previously. I had to restart my computer in safe mode (with networking) and then run malwarebytes and it removed antivirus live and the infected registry files. The only problem I’m left with is the side effects of antivirus live… internet explorer no longer works as well as windows live messenger. Also when I try to run any of my online games none of them can connect to their servers.

  64. I can acess my internet now after going into task manager but how do i remove totally. I have to remove everytime I get turn on my computer?

  65. Caught this yesterday and lucky enough to kill it myself. Was looking for anything I missed. I got it from visiting a website (or being redirected). Question: What setting in IE allows executables to install and run automatically? I’m trying to figure out how the dang thing got here with firewall/antivirus/etc. running.

  66. Got hit with this virus visiting a website with information for how xmas is spent in other countries, how i got it i dont know. Reading all the feedback in this forum was interesting, i think how vast the effects are on your computer comes different ways of getting rid of the virus scan live chode..for some its not as simple to fix…i couldnt get rid of it by task manager, changing names of files and all that other wierd trash, but did do what any human being would do….closed my eyes and pointed at the screen, which ever post i landed on i would do that to fix my problem….good for me i landed on SONNEY’s advice…did the whole “combofix” thing and had no probs after that….thanks admin for having this, on to printing xmas photos!

  67. This virus is not letting my access any program or file. I can use Mozilla Firefox, but that is about the only thing that works. I tried using ctl+alt+delete, but it labeled it as corrupt. I also tried downloading Process Explorer, and it labeled that as corrupt as well! Is there anything else I can do?

  68. Hi,
    my situation is as same as Ethans. My computer got attacked yesterday. I only have Internet Explorer. I cannot open task manager and cannot get on internet. Also, I am not able to scan my computer with AVG. I was not able to follow the steps above. Is there any other methods?

  69. I just can’t belive this. I have tried everything, I got this on facebook, I didn’t even download it; it just popped up. I am not a tech person and none of the fixes have worked. What do I do, this is a band new laptop. Please help.

  70. hey guys if u r having problems opening taskmanager, just restart ur pc then as soon as u log in just keep pressing ctrl alt del this will work as the fake virus software takes time to load, so the aim is open task manager before the fake virus loads. from there as people r saying end the process of sysguard.exe

  71. Hells bells people, after reading all the above , what chance has someone like me who is not a computer expert got in stopping my computer from being hijacked by these mongrels . I am lucky that I have a friend who is very good at computers and he has my infected computer now (it was infected two days ago) I’m using my old computer at the moment. This scam is a MONEY EXTORTION CYBER SPACE CRIME and there must be authorites somewhere that can track them down and take em down following by prison time.

  72. How are you supposed to download that removal program if you have Firefox? Anyone know a way? Firefox always makes me save download programs to my desktop before I can run them and this virus blocks running things so basically, I can never download anything now including the virus removal thing…

  73. Thanks so much! By using that internet options thing, I was able to use chrome and itunes and other programs that require internet connections, even though I had gotten rid of antivirus live, I still couldn’t do certain things. Thanks!

  74. Wow, I want to thank everyone for their help! My son came home from grad school and ended up infecting my wife’s work laptop from a very reputable site. The only site he had been on was a popular sports site that starts with an E—.I had a very short time to get her computer working again from the Antivirus Live virus. She had Micro Trend that did not catch it, but after reading everyone’s questions and answers, I down loaded Malwarebytes V 1.42 on my computer and copied the original program to a disk/USB drive and then to my wife’s computer. I booted up in safe mode (If you don’t remember, for XP, as soon as your infected computer begins to come up, after rebooting, press the F8 key and select safe mode). Malwarebytes caught and fixed everything but the ability to connect to the internet. Per several additional replies on the site, I restored her computer to a previous day and the internet worked perfectly.
    Have a wonderful New Year and again, I thank each and every one of you!

  75. Yep, Sonny’s solution worked for me also. I found that once one internet page had loaded the virus would take over and the net wouldn’t work. To remedy this I set the ComboFix download link as my homepage so it loaded up immediatley, Thanks again!


  77. Hey Barry,

    It worked by restarting and opening task manager and deleting the process…thanks for all the help to admn and the other users.

  78. Can i seriously give a massive thanks to all the posts on here…its been a tough journey but i think im on the way to killing this thing!

  79. Hey I followed Kella’s advice and deleted the file but now I am unable to use any web browser. I tried rebooting but Chrome and Internet explorer are not functioning. Does anyone know how to fix this?

  80. I was attacked with the antivirus live bug as well, but Sonny Phono’s advice worked GREAT!! I used Combofix and it solved everything.

    And for the previous poster, when you get on the internet and it doesn’t work, try going to : tools>internet options> connections> LAN settings, and make sure all the boxes are unchecked. Then immediately go to the website that you want. I had to repeat the process everytime i changed a page on the internet, but that was the only way i could get mine to work. Good Luck!

  81. hey guys i removed the process from task manager before it went on, and then i used `quick scan` on malware bytes, i found the trojan and successfully deleted it. but when i turned my computer off for around 5mins then turned it back on, the virus came back!

    any ideas on how to help me. im not experienced with this.

  82. @Mikmaq
    I cannot get to my browser,not even in safe mode W\networking to change proxy.I can get to taskmgr fast but Im afraid to stop any processes.

  83. I went thru the LAN settings and corrected everything but when I went to Task Manager it opened just fine and I didn’t see anything ending in .exe Is that okay or should I look elsewhere?

  84. I don’t know how all of you guys are fixing this. I can’t change my LAN settings. The “apply” button is not changing anything. It won’t uncheck anything. I can’t open up the task settings or go online to download anything. What am I supposed to do??

  85. Andrew : Malwarebytes free does not have real time protection, so there is a good chance you got reinfected. Even more likely, it has not cleaned everything. Scan with spyware doctor AFTER you cleaned with malwarebytes – it might have missed something. If you are clean with second scan, then you get reinfected somehow and you need a tool with real time protection.

  86. Mike : stoping processes can not harm your PC. in worst case you will have to reboot and start anew. Deleting files might cause some trouble, so if you don’t feel sure, just rename them to something else and delete after reboot when you are 100% sure computer is ok.

  87. Brittany : yes, processes have not extensions, just names. Files that launch processes have .exe extension (sometimes .com, .pif, etc )

  88. Got this virus. Changed LAN settings and downloaded Process Explorer and Malware Bytes but can’t run either. How can I run these programs? My Antivirus Live blocks everything I do and constantly pops up messages. I have Automatic Updates off because I had gotten a virus from it before, or so I thought. Should I leave it on for future reference? Don’t forget to answer my first question. Thanks.

  89. Not to jinx things, but I think Sonny saved the day. I was able to get into task manager before the virus took control, end the blwsysguard process, change the explorer setting to uncheck the proxy settings, and then access combofix as described. very helpful

  90. Steven : You need to disable processes before launching any of these programs, you might be able to launch task manager right after boot, or execute them in safe mode.
    You got Antivirus Live not from updates themself (except if your hosts file was infected prior updates).
    Personally, I would recommend getting anti-spyware program with real time protection to avoid these problems in the future. Too many people rely on occasional scans 😉

  91. Precisely HOW DOES ONE get this???!!!!

    The first time I appear to have gotten this, I was on YouTube doing nothing more then paying music videos (Trans Siberian Orchestra). Actually infected twice under different set of random prefix names.
    The second time, a week later, I was on!
    Both times a couple of strange things occurred. IE hung while a page was coming up. Acrobat reader started to open, and then Norton firewall notified me that [random]sysguard.exe was trying to go to the internet.

    Prior the second time I was infected, I had checked everything running on the PC, and all was ligit.
    Is it possible that msmsgs.exe is a vehicle for this virus? Time will tell. Since I removed it from my startup (not sure whether or not it always was there) I have not gotten this MF again.

    BTW, a few extra tips for manual removel. And I did not have to use anything extra.

    1)Try to bring up the task manager while booting. As someone above said, you have to get to the task manager before sysguard starts running. After the first [random]sysguard.exe comes up, kill it but KEEP watching, it will often come up again (see item 3).

    2) The directory \Documents and Settings\username\Local Settings\Application Data will become hidden. After you delete the programs and directories, run a REGISTRY scan (norton). It should report the Registry entries associated exe’s with the virus (but not AVSAN).

    3)In the Registry look at both the CURRENT_USER and LOCAL_MACHINE. Entries will be in both places. Hey, I like a clean registry.

  92. Cant believe i got that Antivirus Live crap pop up on my laptop today when i got home.Freak me out cuase last time I got “system recovery tools”(some virus like this one)I had to do system recovery from beginnig which it worked for me.Now that this Antivirus Live show up,I took Sonny Phono/admin advice,I havent seen it pop up no more. Save me 15 minutes instead of 2 hrs(doing system recovery way).Thanks alot guys!!!!!!

  93. I got hit today. This has been helpful. My operating system is XP. The Antivirus Live is a Windows program and will not run in the Protected Mode. Use F8 during re-boot, choose Safe Mode – DO NOT choose restore button. Search for text string sysguard while in safe mode and the file will most likely be in the Documents and Settings\<username\local settings\application data\\[NNNN]sysguard.exe. In my case the was klxmjb and the executable was pmitsysguard.exe. Click on the folder and hit the delete button – sending it to the recyle bin.

    If you cant find the local settings\…. path then you need to go into the control panel, click on Appearance and Themes and you’ll see the Folder Options icon. Click on it and the Folder Options window will come up. Click the View tab and mark the -Display the contents of system folder- and the -Hidden files and folders- (Show option). Now when using the file system explorer you’ll be able to see the local settings file and the rest of the path.

    After deleting the sysguard file, restart the computer and allow windows to load. The scam messages should be gone, but Internet Explorer may not connect. In Internet Explorer go to tools-options-connections and click on LAN settings unmark bypass …, unmark Use a proxy.., click OK, then restart Internet Explorer.

    There may be some residuals on the system that a valid anti virus program can remove, but it should be working properly at this point.

  94. Is there a fix that can be downloaded to a “clean” computer, then burned to a CD. Would this allow you to put the CD with the kill commands on it into the infected computer and kill Antivirus Live in this manner?

  95. Hey, just some info for anyone still having problems…
    I was able to open task manager right after I logged on, but there were no files ending in that sysguard thing. I looked at the properties for unfamiliar processess and it turns out my Antivirus Live processes claimed to be registered to HP and all were created on the same day, so I ended all those and it stopped freaking out at me, so I know that was the problem…just letting yall know it might be claiming to be something different!

  96. Dusty cross : Some antiviruses provide clean-on-boot cds, though the antiviruses need to have parasites in definitions. Sadly, most of them lack the ability to remove antivirus live yet.

  97. I found a way to run your task manager: Start it as soon as possible right after you enter window then just leave it until that “antivirus live” turn on then you can end task it

  98. Somebody said you just need to run in “safe mode” and then everything would be alright. try to delete any file have [random]sysguard.exe (even hidden files). With me, I tried to run Task manager as soon as i can them end task it After that, just restore my computer to 2 days ago and it’s gone. good luck everyone

  99. I got IT yeasterday. I wanted to use many solution but I couldn’t open “exe file” also task manager because of antivirus live.How can I remove it?

  100. The easiest way I have found to get rid of this – at least with XP- is to reboot into safe mode and run system restore. I simply restore my computer to a restore point prior to the infection. I’ve had to do this on 3 pcs so far and it has worked great. I then always run a full virus/malware scan to make sure nothing was left behind.

  101. Thank you for providing effective and reliable advice in irradicating this virus. We restarted the computer and quickly went into Task Manager and found the sysguard to stop the process. Once in that was complete, we purchased the Spyware Doctor and found 13 threats and 374 infections including 15 Trojan Viruses. THANK YOU is nearly enough! We only go to a few websites including Facebook and MySpace…although it sounds like people are getting this all over the internet.

  102. Got this nasty virus as a New Year’s gift…did a system restore in safe mode for a date earlier in the week, then removed sysguard.exe file, there was one. After rebooting, it tried to install itself again as “Sonic Update Manager”. Terminated process three times and opened Task Manager, which seemed to keep it from trying to install itself again for the moment. Went to Program Uninstall on My Computer, found Sonic Update Manager on list and uninstalled it. So far it seems to be gone for good!

  103. Just recieved this thing.

    I can agree with the usual symptoms being showed here, but I do have something…bizarre to report.

    After the attacks (Pop-Ups, no control over anything, leading to adult sites [which is even worse considering that this is the family computer] ) I noticed something strange…it disappeared.

    After I shutdown my computer (in panic) and restarted it after reading this guide, I can find absolutely no symptoms of Antivirus Live, not even the Symbol is showing up.

    Naturally I hurried to the task manager in an attempt to find it’s process before it started, hoping it was just delaying itself before another onslaught. But no…it’s not there anymore. This scares me witless, knowing that Antivirus Live can be ANYWHERE right now.

    I have now started scanning with McAfee, and hopefully it will pick something up, but I have low hopes for it, seeing as it didn’t pick up ANYTHING before the attacks.

    Anyone have any advice, please?

  104. @Ethan
    Let me also add to this. While searching for “Sysguard”, instead of the ****sysguard.exe I found NUMEROUS instances of Rkill.

    Please elaborate soon!

  105. Worked like a champ! thank you so much for the information. I had to follow a slightly different route though since I was never able to get to the site to download the product quick enough. I downloaded the program onto a thumb drive using a different computer then put thumb drive on infected computer and quickly executed the program as soon as the computer came up. @Sonny Phono

  106. Hey folks, I have also been infected with the Antivirus Live virus, it appears, although my symptoms are a little different than those noted above. I was originally infected (actually my daughter’s session on our family Windows XP system)two nights ago (NYE) and have since performed some research and acquired & ran both Spyware Doctor and RegCure (which I realize is more of a local only [registry] optimization tool) last night.

    I have no remaining evidence (on 2 of our 3 XP Home accounts) of Antivirus Live after running both of these prgrams. I guess my question here would be: do I need to run Spyware Doctor on each account separately?

    When I log into my daughter’s session, there’s a window from the system tray saying the system may be infected. There’s no way to ‘x’ the window (the x is greyed out); it’s either yes or no, which I know better than to click either one – and I’m pretty certain this is how my daughter initially activated this thing.

    Additionally, I do not see any file containing sysguard.exe in Task Mgr, nor do I have any issues accessing the internet, except perhaps on my daughter’s account. Now, I am also unable to scan again using the Spyware doctor application. The main message I receive upon opening this app is “System Status: Spyware Doctor engine is restarting in 0s” and 7 of the 8 messages are noted with a status of “Checking…” with the exception being the Product Version number, which is displayed as Spyware Doctor appears to be “locked” in this state indefinitely. This will not allow me to run subsequent scans.

    Because of this I have now run Combofix, and rebooted my system, which still appears to be functioning normally, with the exception of not being able to run the Spyware Doctor program.

    Can anyone help me here – I’d like to run Spyware Doctor on an ongoing basis so I can continue to monitor this matter.

    Thanks in advance for any assistance…

  107. hey i dont know if anyone elso got this problem after following sonny’s advice, but this is what happened. I got infected by antivirus live so i went to the task manager deleted the correct thing, then I downloaded combofix and windows recovery system and no voila… insted my computer rebooted and now windows wants me to activate… i keep typing in the key (which is taped to the side of my computer) and now my very own key dosn’t work…

  108. Hiya
    Ive got it since last few days and i have tried everything,but nothing seems to be working.

    I have logged to Guest acount,and downloaded the ” Combofix ” and when i run it i get this message, ” Errors encountered while performing the operation look at the information window for more details ”

    Can someone please help me?

  109. yeah thanks for the help, my buddy was on Youtube and got the virus. No other tabs were open, we were trying to create a Channel for our new show. This is a whopper of a virus.

  110. The latest version of this virus won’t even let you bring up the task manager. When hitting CTRL-ALT-DEL a dialog box pops up with the virus alert message. To get around this I re-booted and while programs were running after logging in, I went right to the task manager before the virus loaded. Then when it loaded and came up on the task manager I deleted it then was able to download superantispyware and that removed the virus.

  111. I woke up to this little gift this morning – awesome since I was recently laid off and need my PC for job hunting. Thanks to having Firefox installed (IE was rendered useless) and finding this site I was able to complete the fix and have my system back in about 2 hours.

  112. My son called from home to say this pop up keeps asking to update our virus scanner: thankfully he left it alone; upon boot I accessed the Task mgr right away and stopped my version of ‘xxxsysguard.exe’ and promptly searched for the file name (inlcuding hidden files because it is hidden) and deleted it. It also hijacked my LAN settings for IExplorer, after resetting to ‘auto detect’ it worked like a charm and I am now surfing. Only public place we have been to is facebook… Thanks for all the help- great site!!

  113. I have been having this problem too, but none of these ideas are working for me. I can’t access the internet at all (on a different computer now) even after I change the proxy settings. And the task manager won’t come up no matter how early I try to open it. The virus is loaded immediately. Any other optons?

  114. Ok, all good advice except when I turned my computer off to reboot, my monitor will not come out of sleep mode!! How do i get a chance to clean if my monitor won’t work??
    Any suggestions?? Ideas??

  115. 1. Open Internet Explorer. Click on the Tools menu and then select Internet Options.
    2. In the the Internet Options window click on the Connections tab. Then click on the LAN settings button.
    3. Click Advanced, Remove the values under HTTP: “?” and port “5555” click OK may have to click Yes
    4. Now you will see Local Area Network (LAN) settings window. Uncheck the checkbox labeled Use a proxy server for your LAN under the Proxy Server section and press OK.

  116. Thanks for the help, I think I’ve killed it. The author(s) of AntiVirus Live should be removed from the Planet !

  117. I now have a new problem. I can boot up in safe mode and downloaded malwarebytes and it shows nothing wrong. Comes up clean. I cannot download rkill. When I start my computer not in safe mode, it goes as far as the xp screen, then shows a black screen and won’t go further.
    I at least have a start finally. Thanks for all ideas and suggestions!

  118. Christian: imho you should try using Spyware doctor (the remover I recommend) . Do a full system scan in safe mode.
    Also, there is a possibility that your system files are corrupted, and you will need to repair installation.

  119. Wow. That was not a fun thing to come home to. My wife tells me that the antivirus stuff is ALL over the screen and I still don’t know if it was somehow triggered…Does anyone know if there is a point where the user can somehow say ‘no’ to prevent the beginning of the virus?

    Anyways, I reloaded a restore point from safe mode and ran PC doctor-I then saw the virus and removed it (I HOPE) with combofix.

    It’s great that there is so much good that can still come from the internet!

  120. Hi, it’s on my computer but I tired everything you guys listed and it’s not working IDK what to do. I tried to downlaod mcafee from my internet company but the anti spyware isn’t letting me

  121. Got nailed with this piece of Junk today and followed Sonny’s advice about getting ComboFix started before AntiVirus Live started up.Used the Suggestion from Bleeping Computer to repair the Windows Recovery Console using this file from Microsoft ( I make it a habit of keeping ComboFix as well as this file on my desktop at all times Updating it at least once a week. Not the first time I have had something like this get installed on my computer. Far easier if you already have it on hand. Alos have Malwarebytes as well. These 2 work very well in combination. Thanks for the help.

  122. After about 4 hours of frustration after “aquiring” AVL, searching the web for answers (from another computer, loading a removal tool onto CD and trying to run it on the infected computer from the disc, I was ready to call my techie stepson screaming HELP! AVL blocked EVERYTHING I tried to open. Here was my breakthrough as I followed your manual instructions. I realized the AVL process had to be stopped. Clicking “control–shift–esc” repeatedly would flash the taskmanager open only to be blocked time after time. Then I held the 3 keys down simultaniousy, and after AVL blocked it several times, it finally GAVE UP and task manager opened and stayed open! Yesssssssss! I was able to stop the AVL proccess and downloaded Spyware Doctor and after a full scan and clean, all is back to normal and SD is now monitoring my sytem. Another note–I use eset NOD32 antivirus, and AVL did block it. Thanks for a great product and I hope this may help others!

  123. @admin
    I can’t get to the task manager in order to stop the process of the antivirus live … could this possibly be linked to Evony?

  124. This virus just gets worse as it gets older. I thought I killed it a few days ago, but it’s back again and much stronger. I think it must have more hiding places than anyone here knows about! It won’t let me start in safe mode, and I just have around 90 Seconds to try an do anythiong on the computer before it kicks in. In that time I can start any kind of virus scan / search i like, but it stops it as soon as it wakes up. Any ideas???

  125. Reid : you would get quite less infections if you would keep something with Real-time protection.
    Thank you for a link to repairing Windows recovery console.

  126. Used Randall’s fix (Dec 21 above) — killed xxxsysguard.exe in task manager, and did a system restore to a couple of days back — seems to have worked just fine. Thanks all for the sage advice!!

  127. i was having problems w/ my laptop with avl it was opening popups and pornography sites and i followed advice from this website so after starting up my computer i opened taskmanager and ended some processes and the pop-ups stopped,but i wasn’t sure if evrything was completely gone so i downloaded Spyware Doctor 2010 from,and i’m pretty sure everything is cleared up,if it’s too good to be true feel free to reply to this

  128. Sonny: Thanks for the instructions. I worked on it for hours yesterday and thought I had it fixed when it suddenly returned. Your method was the most clear and simple. I will take the admin’s advice and run additional scans with malwarebytes and spywaredoctor to be be safe but I appear to be O.K.

  129. i have found one thing that has so far blocked live antivirus from getting in my computer for now it, is called threatfire which is free on cnet.

  130. Our home PC got hit with this nasty virus yesterday (1/9/10). I did exactly what Ripple describes above (1/31/09 entry) and it worked perfectly. I ended the xxxxsysguard.exe process thru Task Manager at start-up and then found and deletd the folder it was in. Thanks for the great advice.

  131. so. I managed to download combofix. But it doesnt work. It still wont start even if i’ve restarted over and over again. But the virus doesnt pop up at all anymore. The warranty came up, but nothing else. And as I said. Combofix wont work, but the virus seems to be gone

  132. its curious that my simple fix was not posted? Seems someone wants everyone to jump through hoops to fix this problem?? People–As you reboot press f8 and you will come up in safe mode–Then follow the bouncing ball to backup your system to a date prior to getting infected. You will not loose any data and you will be done. !

  133. I was able to use taskmanager to get rid of mine. What I did was unplug the back of my tower, and plug it back in. I then restarted it, and as soon as i logged back in to my user account, i hit esc,ctrl,shft…taskmanager popped open and I was able to find sysguard.exe and terminate it.

  134. Johnny : Your way is not working for everyone. Many strains of Antivirus Live infect restore points as well. Also, quite often people do not access safe mode due to infections.

  135. Hi, this is how I sorted it. I shut down my PC, restarted, and as soon as my windows booted up I hit the ‘ctrl,alt,delete’ keys all at the same time to bring up ‘Task Manager’ before ‘Antivirus Live’ had a chance to start up and stop it. Went to ‘processes’ at the top, scrolled down till I found and highlighted ‘drfesysguard.exe’ [they may not all have the same name but if it has ‘sysguard.exe’ within the name, that is most likely the one you’re looking for] then I clicked on ‘End process’ to shut it down, you have to shut it down otherwise you will not be able to delete it or open any programs, also it would be a good idea to write down the full name of the file you find so you can enter it in ‘search’ as I did next. I was then able to open up all my programs as normal. From the ‘Start’ button I then opened ‘search’ and put in the file name that I found which was ‘drfesysguard.exe’, started a search in all folders and also in hidden folders. I found two files of the same name, I right clicked on them and selected ‘delete’ to remove them. Next I ran my AVG antivirus and found ‘trojan down loader agent virus’ and removed it. When all seemed to be working ok, I then emptied the the deleted ‘drfesysguard.exe’ from the recycle bin ….. So far, fingers crossed, it looks like I’ve got rid of it. Hope this helps. Regards. Ron

  136. I now have this virus and can’t do anything I have tried following advice but it won’t even let me in to the task manager even on restarting if i can hit the keys in time it just gives me the oprion of logging off switching users etc (im running windows home vista) anyone any ideas this is driving me crazy I feel like hunting the culprit down!

  137. why wont my Norton 360 remove this virus for me? I dont have anything else and in light of circumstances, i’m not willing to trust anything else. The disgusting scum that create things like this owe me 10 hours of my life back. If anyone has any helpful ideas about norton and the removal of this virus please let me know.

  138. Thanks to all the comments above. A family member inadvertently downloaded this nasty little bug today. It was easier than I thought to get rid of it (cross fingers). While the tips printed here helped, I found out that careful assessment of the system plus patience were all you need.
    NAV won’t find the program.
    In order to avoid detection, the program replicates itself, yet only in the users\nameofcurrentuser directory.
    I found about 60 replications of the program with random names (letters, name of user, “user,” etc. Only the copies in \appdata\local\ used “sysguard” as part of the name. Replicas were easy to spot: they have the same (small) size and they were created within four minutes of each other. Most of the replicas were in \appdata\local\
    What I did:
    I looked into the \users directory and subdirectories, for items modified today. (In order to do this, you need to modify your folder options so as to be able to access and see system files and directories; as this is my default setting, I don’t know if the virus would let you modify it.)
    I deleted all .exe files of the same size created within minutes of each other.
    One of the files was in use and could not be deleted. This is the active program. I could, however, rename it, taking away “sysguard” and the .exe extension.
    I did a forced reboot of the system, and choose “safe mode with command prompt.”
    Using the DOS prompt, I located the renamed file and deleted it.
    I rebooted the system. It restarted normally. Firewall blocked features of two programs which I guess were activating the LAN options-proxy settings. Looked for those programs but could not find them.
    I changed the internet options, getting rid of the proxy settings.

    So far it worked.

  139. I was infected with this scumware, it’s one of the nastiest I’ve seen in terms of preventing the user from removing it. The version I got gave me that obnoxious pop-up message “The application could not be executed. is infected.” no matter what I tried to run. I tried launching Task Manager, Process Explorer, cmd, regedit, Internet Explorer, Spybot S&D, Avira Antivirus…nothing would start! So then I tried to run some stock trading software I had installed, and got the same popup message. I even tried starting some of these from a remote computer using psexec, but with the same results. Apparently the scumbag virus authors saw that various web sites were recommending using Process Explorer to kill *sysguard.exe, to get around the fact that Task Manager is blocked, so they put out a new version that simply blocks ALL executables.

    Well, not quite all. Internet Explorer runs, but every web page is blocked with a message saying that the web site you were trying to access is dangerous, and providing links to “protect your computer”. Note, BTW, that I had a Firefox session already open, and was able to browse unobstructed with that, but downloading a removal tool would have been a waste of time because I wouldn’t be able to run it.

    What I ended up doing to get rid of it was using pskill from another computer on my network to kill the *sysguard process. I was then able to launch applications again, and proceeded to delete the files and registry entries listed above (BTW, I’m very curious to know how this garbage got past TeaTimer to gain access to my registry…).

    If you have the version that blocks all applications, and you have another Windows computer on the network, you can accomplish this by following these steps:

    1. First of all, if you don’t already have it, download the Sysinternals Suite (on your uninfected computer, of course) from:

    Unzip the file into a directory of your choice. No further installation is necessary.

    2. Open a command prompt and navigate to the directory containing your Sysinternals utilities.

    3. Enter the following command:

    psexec \\ cmd /c net start remoteregistry

    is the name of your infected computer (do not add the angle brackets).

    This starts the Remote Registry service, which is necessary in order for the next step to work. You should receive a message saying “cmd exited on with error code 0”.

    4. Enter the following command:

    pslist \\ | find “sysguard”

    You should receive a single line of output in the following format:

    ####sysguard 5344 13 1 173 2704 0:00:00.203 0:00:02.359

    The #’s are some random characters. The first number following the name of the process (5344 in this case, but yours will be different) is the process ID (PID).

    5. Enter the following command:

    pskill \\

    Again, don’t include the angle brackets, just the computer name and the PID number (e.g. “pskill \\HAL9000 5344”). You should receive a message saying “Process on killed….”

    6. On the infected computer, you should now be able to run applications. Remove the files and registry entries listed above.

    IMPORTANT NOTE: If you’re running Vista, the virus’s files will be located in %UserProfile%\AppData\Local, not %UserProfile%\Local Settings\Application Data\, which doesn’t exist.

    (Yes, I snuck in a “2010: A Space Odyssey” reference in honor of the new year. I am a geek, I admit it…but if I weren’t, I wouldn’t know how to defeat this virus.)

  140. I used the run->msconfig method in safe mode, and so far so good. Followed up with a search for files containaing ‘sysguard’ and blew away one more.

    If I ever find ANYBODY associated with creating or promugating this virus, well; I’ll take my chances with a California jury (and multiple appeals if it comes to that)… the pieces of excrement who did this can discuss their sins with the Lord/Jehovah/Allan/Yaweh once I’m through with them.

  141. I just got AVL today and I tried booting in safe mode.. no luck. Now, Immediately after I log in, it shuts down and logs me off! I hear the startup music followed by the shutdown music. Pressing CTRL-ALT-DELETE doesn’t bring up anything. How can I break into it, or start it it safe mode, so I can do the manual fix?

  142. Ron,

    I could kiss you! Running SuperAntiSpyware and it seems to have found a bunch of stuff. I’m mad at Microsoft Security Essentials which keeps popping up now and then between the few days and telling me my PC is clean which it is not. Malware Anti-Bytes only found one thing. So this SuperAntiSpyware is real gold! I managed to get the taskmanager popped up, I then clicked on my toolbar where AntiVirus Live was so it would pop up, then I found the process and ended it. From there I could download Super Anti Spyware since Antivirus Live wouldn’t let me download anything or even open up photoshop (twas bored). I’m gonna let the scan continue to run while I do something else but hopefully all will go a-ok. Good luck future anyone else who gets this.

  143. Update: Somehow I was able to get into my profile. I had just enough time to start Internet explore .. fix the proxy… then download combofix. I then Followed Sonny’s instructions and that seems to have worked. Thank you guys very much!

  144. I just wanted to say a big thank you for posting the instructions on how to remove this annoying virus! I work from home, so if I did not have a working computer tomorrow, it would not have been good. The instructions were great, though I had to remove the proxy address as after repeatedly clicking on the use a proxy server box was not helpful. I was suspicious of the anti virus live and googled it on my iPhone. I hope it’s gone, though due to issues with pulling up my task manager, I did fail to look at what process I ended. I hope this doesn’t happen again when I reboot. I am running spyware doctor now, so fingers crossed. Thanks again for posting these instructions!!!

  145. This seems to be the most direct way to stop this thing…. Step 1. disconnect your computer from the internet. (unplug ethernet, disable wireless, etc) This will disable the bugger and takes away its lifeline. You’ll then be able to safely close the littany of windows it has opened and allow you to open config windows as normal and delete the file. Step 2. Go to start menu, RUN, and type in msconfig in the open box and click OK. Go to the startup tab and look for something called ending in sysguard.exe. Unclick the box and then expand the command tab to see where the thing is living. Follow that string from the C: drive (ususally) and you may need to type in the location. Look for the file that contains the sysguard.exe file and delete the file. Exit out. reboot, plug back into the internet, and be careful not to click on unknown banners or emails in the future. Good luck.


  147. Thanks Steve #156! Alt-Ctrl-Dlt did nothing for me when trying to open up the task manager but after seeing your comment and trying Ctrl-Shft-Esc it worked in a matter of seconds. I was finally able to download Spyware Doctor and all seems well. Good luck to everyone else :/

  148. Thank you for the info, seemed like a nasty little virus… I had Avira AntiVir and haven’t had a problem with anything. Started having pop-up issues so a friend recommended me to use window works. Down loaded it and forgot to remove Avira, Some how i had a comflict and AntiVirus Live decided it’d like to take a hold of my computer by the ram and give me a rough time.

    Got to say thanks guys, hopefully Avira will pick it up.

    Tried doing safe mode to repair the problem, but was giving me a nice little blue screen saying i had hardware problems… 🙁 what a mess i had.

  149. no problems with the live virus here, using threatfire didnt even know it was out there until cousin was infected with it on 2 of his laptops. still havent got infected by this nasty virus yet. i have had threatfire since the 360 antivirus came out. oh and from what i have read the live virus is not a virus, it is malware.

  150. I really need help! I run firefox, so I can enter websites just fine, but internet explorer doesn’t work at all. I did all the steps above, but I couldn’t open task manager, so I downloaded the process explorer in the link and downloaded it to my desktop. But now I can’t open that, because it says it is infected. What can I do???

  151. I just had to chase this sneaky virus off my niece’s laptop…

    One hint, download and install the Process Explorer in Safe Mode with Networking. Next, reboot in normal mode and quickly open the Process Explorer. If you are not quick enough the virus will start first and block the program.

  152. Hello,

    I was short on time, but skimmed through most of the info here in these topics, but I figured Id get to the point. My bf downloaded and paid for this Antivirus Live software, and I went ahead and restored his computer to factory defaults, because he didn’t really have much on it, will this be enough to get rid of the virus? I havent really found any trace of it. I would also be curious how to get the money back, but I know thats not your problem either.

    Any help would be appreciated.


  153. I think I have this virus removed. Is my computer secure again , ie can I online bank,shop online with my credit card info? Or should I be hesitant about that?

  154. Linda : Best is to scan with couple good free anti-spyware scanners. If they find nothing, you are clean with high enough probability.

  155. @Carrie Have your bf call the bank/credit card co./paypal, whatever he used…I told my bank I was the victim of this scam, and they are sending me forms to be able to get my money back! Make sure he changes his card #’s, etc. The Antivirus scammers put another $1.50 charge through before I could stop it.

  156. So of course my computer has recently been gifted with “antivirus live”.

    I downloaded the Spyware Doctor. It scanned. Found a lot of threats and infections. But what do I do to get rid of all of them? Buy the full version of Spyware Doctor? I think not. =/

    Is there a website with a program that will delete virus and such from my pc without the need of spending my money to do so?


    ps but what program do I need to download?

  157. threatfire is a good program that will run along side most antivurus programs.and it is free on also another program that will work is malwarebytes program.

  158. The tips given on this forum are quite good. One other thing you might want to do, if you have the resources, is remove the drive from the PC it resides in and install it as a non-bootable drive in a spare PC. It is quite easily removed at that point. I am an IT consultant, so I have the equipment but I realize not everyone does. That said, I have been doing battle with this malignant code for a couple weeks now, on a multitude of PC’s and this method saves me a lot of time.

    In order to restore your ability to enter safe mode, you may need to run “safe mode fixer”. Y

  159. @admin
    So here is what I did. Many new pc’s start process’ too fast to beat. So reboot your pc and hit f8 til you get a screen that allows you to start in safe mode. Open control panel then Internet connections go to connect then click o. The LAN button. Unchecked the box on the bottom and you should now have accessto the Internet. Then run combofix from the above mentioned site

  160. @justin
    Hey Justin. I’m not that great at computers, but originally I had the idea that if I unplugged the internet I could maybe delete it. After I did I wasn’t sure how to delete it though. Your creative way has helped, but I am stuck.
    I did all of the steps, until the “StartUp” tab. Once I got in it I couldn’t find a sysguard.exe. I DID find something called affsysguard. I think it might be it, so I unchecked the box and hit apply. I don’t know how to search for it now. Any help would be great, thanks everyone God Bless!

  161. Many thanks to Sonny, Admin, Ron, others. It took about 2 hours of checking, unchecking, reboot, magic words but I deleted it. That was the first time I had a virus that did that. I was able to hook up my laptop and find this website, what a lifesaver. I was using my computer this afternoon and bang. Thanks again.

  162. THANK YOU SO MUCH! MY computer showed signs of infection today and I found this using Google. I thought I was done for. The virus just kept popping windows and starting IE all by itself showing some nasty sites. I followed Sonny Phono’s advice #3 above December 7th, 2009 at 19:32. Saved me HOURS of work. THANKS AGAIN.

  163. My saving grace was that I’m using Firefox so I was able to get on the internet and find all these posts about how to handle this. A quick start of Task Manager on reboot enabled me to stop the AV Live process. I then used Msconfig to find where this rascal lived and terminate him. Thanks to everyone for posting useful info.

  164. Pheeeew! This site saved me a lot of time! Thanks guys and gals! Did a restart hit control alt delete b4 the antivirus live started found the program with gaurd.exe and ended process went in and changed lan setting downloaded combo fix and its running now……awesome

  165. Antivirus Live will not allow me to access my Task Manager and does not allow me to run n Process Explorer or Spyware Doctor saying they’re infected. Please email me, I don’t know what to do, I just want this gone

  166. Daniel : Reboot your PC and a) try using safe mode OR b) Once you are logged in, hit ctrl+shift+esc couple times. That should launch task manager – virus is activated later and will not close task manager that was launched before its activation.

  167. i’m cracking up tried everything cant shift antivirus live! Thought it was my fault but turns out some cumputer wize kid had my laptop! Can anyone help me i have no idea about computers???

  168. Hello all, I too suffered from this incideous beast Anti Virus Live. I was on a very common website, And I think a banner that I accidentaly clicked on, Delivered the worst case of malware I`ve ever experienced!!! I had all the same problems as mentioned above. That beast AVL took over all my applications, And drove me insane!! The way I got rid of it once and for all, Was a stroke of luck. After nearly 5 hours of trying, I rebooted my system. I saw how long it took before that hideous blue shield icon reared its ugly head onto my task bar. So then I rebooted again, And before it showed its ugly self, I was able to start up my Lavasoft Ad-Aware. Ad-Aware found it, And resolved it once and for all. Hope this helps

  169. Hey everyone,
    Thanks for all your information. My pc got infected 2 days ago and i was super worried. Thank God I have heard of programs like this that are fake and try to get you to buy this piece of crap!!!! Thanks admin, sonny and all, you have helped me so much i havent tried anything yet, as i am not able to access my pc at the time, but i will be able to do it in a few hours… THANK YOU THANK YOU THANK YOU EVERYONE!!!!

  170. I got this 2 days ago. I have Norton360 & called them as I could not get to anything. Task Manager corrupted, Ccleaner sent me to a porno site as did my home page – ARGH!
    Norton told me it is not a virus but a downloaded program & that’s why it was not detected or blocked, then charged me $100 to get rid of it. Yes, I paid as I could not even open Firefox to try & find a fix for it & had no idea what else to do.
    Things seem to be working again now but I would like a suggestion or two of any other programs out there that I might run to make sure it is detected before it is downloaded in future as Norton360 is not going to ever be helpful.
    FYI – I also got it from YouTube & I did not dowload anything so how it’s jumping into systems is a mystery to me.

  171. Hi!
    I don’t know exactly what to do…I am running my Norton at the moment and I’m seeing that It is not detecting the antivirus live. I read through all your instructions but I don’t want to download anything from this page concerning it’s removal. What should I do?

    Thank You, Leslie

  172. @Leslie
    Hi Leslie,
    I had the Antivirus Live just this morning. I got it from a link on Facebook.
    You will have to download the Explore.exe referenced in the article above. Once running, you will be able to locate the %sysguard.exe file. The Explore app will allow you to delete the file and thus stop the malicious app will stop popping warnings as well as allow you to run and update your antivirus application. Just follow the steps listed in the above article and you should be up and running again soon.


  173. Thank you Sonny Phono After days of searching and offers For as much at $150 for cyberdefender to take off the antivirus live…you were right…followed your steps…and was patient….lucky I had mozilla Firefox which was still running….took about 20 minute to complete. That is the best real anti virus do I want to run now for protection? Which security program Norton 2010 or McFee?
    Please advise

  174. I’m not sure which virus my husband downloaded when he opened a link on facebook…. how many times did i tell him not to! but right now i can access internet but have lost a lot of my basic tool bars on explorer. i can’t copy and paste or print and i can’t download either. the search engines don’t work either. do you have any suggestions. thank you

  175. My computer is infected and i don’t know what to do my icons won’t activate spyware doctor won’t activate…..HELP!!!!!!!!!????

  176. Jeanne : I would go with ESET’s nod32 or Kaspersky. Imho they are better than Norton or Mcfee. Also you should have an anti-malware program with real time protection, good choices would be spyware doctor, maybe superantispyware or full version of malwarebytes.

  177. @helen
    THe easiest way to get rid of it is to not go on safe mode.Before the Antivirus screen pops up click task manger by Right clicking the date. Go to the process tab and whenever anything with guard.exe appears end its process. This allows you to run your antivirus program( I use malwarebytes) and get rid of the hindering pop ups. Once the infected items are detected delets them and restart your computer. SO easy peasy a 14 year old can do it and figure it out!

  178. I got the Antivirus Live bug and read your instructions. I went to Task Mgr and the processes tab, and looked for [random] sysguard.exe but it wasn’t there. Earlier when I got a warning that one of my files was corrupted/attacked, it gave the filename as ssu.exe which I couldn’t find in the list either. Any ideas?

  179. i was infected the other day with this, and used malwarebytes to remove. haven’t had any problems with it reappearing, however, my computer is VER”Y slow now, and the mouse freezes up. any ideas as to what might be causing this? I run adaware, mcafee also. ??? Thanks!

  180. Marge : It is obvious that malwarebytes havent cleaned everything in your case. Typically, you get a mix of different parasites, not a single parasite and removers might miss some. Thus it is good idea to scan with other removers, like Spyware doctor.
    Also Malwarebytes does not fix corrupt PC settings: infected hosts file or malicious proxy settings in your browser. Not sure why it is so, as it is a well known problem for couple months already, but you have to check your browser settings if you used Malwarebytes to clean Antivirus Live or couple similar parasites.

  181. Help! I had this problem a couple of months ago and was able to get rid of it thanks to the comments here. I went to Task Manager and found a sysguard file. Once I ended it and then ran a scan, everything was fine. (I used SpyBot, btw). But now this stupid thing is back! I went through every single file in Task Manager and there are no sysguard files. Has anyone come across a different file name for this virus?

  182. Dudes and dudettes that AntiVirus live sucks! I got it one time and I didn’t have a computer for a week. In fact I got with while down loading JavaScript. I got the AntiVirus Live while on Albino Blacksheep.

  183. i had gotten rid of this anti virus live a while ago, since then, there has been a few things that no longer work on my laptop, example… internet explorer, my itunes store, my windvd that plays my bluray discs, etc. how would i fix these problems?

  184. Hi Everyone…I have an easier option to get rid of the anti virus live….simply download ‘Norton internet security 2010’ and it will find the software and delete it…I got it tonight and this is what i did….you might have to run the an a full system scan a couple of times x

  185. This virus will not allow you to open any downloaded file, nor will it let you open a task manager / process explorer. I have encountered it a few times now and have found the best way to remove it is either 1) boot into safe mode(with networking) run the msconfig tool, look for any “odd” program names that are stored in your c:\programdata folder, uncheck these, open a MSDOS window and navigate to the folder location given in the startup tab of msconfig, manually delete all files that are not a windows or known process. Reboot to normal mode, install malwarebytes anti-malware, run it let it remove what it wants then you should be ok to download / install a new anti virus.


    use a linux live cd and manually remove the virus file (advanced user only, as you can damage your windows installation doing this).

  186. TY for this, but unfortunately since you published this, the programmer got smart, it is no longer ?sysguard.? I can’t tell you what it is now.

  187. This was excellent instruction to simplify a scary and dificult situation. Worked perfectly for me. Thank you!

  188. Help umm I got the virus gone but something about my computer wont let me change the LAN settings I unchecked proxy hit OK but apply wont. ..light up and let me hit it. Any suggestions

Leave a Reply

Your email address will not be published. Required fields are marked *