Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Antivirus Soft Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

Antivirus Soft belongs to the family of Antivirus Live. Once installed it completely takes over the system, aggressively displays a variety of fradulent alerts about non-existent malware and infiltration attempts. This scareware installs the Fake Windows Security Center where all the links lead to the payment page for Antivirus Soft. Hijacks Internet Explorer and automatically opens a specific set of porn websites every few minutes. Internet Explorer is allowed to visit only the sites relate to this rogue security software. This is achieved by modifying the proxy settings of the Internet Explorer.


Antivirus Soft 03 590x448 Antivirus Soft Analysis and Removal

This scareware blocks execution of most of the programs. Firefox was able to open and browse the Web normally.

A rogue security software such as Antivirus Soft belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

Antivirus Soft Aliases

This scareware is known by the following aliases:

  • Trojan.Win32.FakeSpypro!IK
  • Win32.RogueSysGuard
  • Win32/SystemGuard2009.CH
  • Rogue:W32/SysGuard.AD
  • Trojan.Win32.FakeSpypro
  • FakeAlert-SpyPro.gen.a

Typical Antivirus Soft Scare Messages

Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan you computer. Your system might be at risk now.

Vulnerabilities found. Your computer is infected by spyware – 34 serious threats have been found while scanning your files and registry. It is strongly recommended that you disinfect your computer and activate realtime secure protection against future intrusions.

Infiltration alert. Virus Attack. Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper or similar.

The trojan downloader was named 6507f.exe and is about 279296 bytes in size. It is detected by 12/39 (30.77%) of the anti-virus engines available at VirusTotal.

Antivirus Soft Associated Files and Folders

  • C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\nfjrmn\xlhnsysguard.exe
  • C:\WINDOWS\Prefetch\XLHNSYSGUARD.EXE-37237EBB.pf

File and folder names are randomly generated.

Antivirus Soft Associated Registry Values and Keys

  • HKEY_CURRENT_USER\Software\avsoft
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlmhkwlw
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlmhkwlw
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = “.exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = “1″
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:5555″
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1″
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “”

Antivirus Soft Associated Domains

This scareware was observed accessing the following domains during installation and operation:

http://newsoftspot. com

Note: Visiting the domains mentioned above may harm your computer system.

Antivirus Soft Removal (How to remove Antivirus Soft)

Boot in to Windows Safe Mode with networking and use an alternate browser like Firefox or Chrome to download and Install following free applications or from a clean computer download and copy them to a USB flash drive:

  1. Dr.Web CureIt!
  2. MalwareBytes’s Anti-Malware
  3. CCleaner Slim version
  • Ensure that your system is in Windows Safe Mode
  • Dr.Web CureIt! comes in randomly named file to evade identification by malware. Click to open, Since you are supposed to use this on a home PC, Click Cancel and then click Start and OK to start a express scan. Once the scan is complete Click Yes to restart.
  • Install MalwareBytes’s Anti-Malware, Open and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. Restart to complete the removal process. Some of the registry entries may need to be manually deleted.
  • Turn System Restore off and on.
  • Install, scan and clean the temporary files with CCleaner.

If you find the Internet Explorer is still being re-directed to the scareware website, remove the proxy settings as follows:

Open Internet Explorer, Click Tools menu and then click Internet options or open Internet options via control panel. In the Internet Options window, select the Connections tab. In the Connections tab, click on LAN settings.

IE connections proxy Antivirus Soft Analysis and Removal IE remove proxy Antivirus Soft Analysis and Removal

In the Local Area Network (LAN) Settings window, click Advanced and clear the proxy address 127.0.0.1 and port 5555. Click Yes and OK your way out.

You should now be clean of this rogue.

If you are unable to get rid of this scareware, you may have other malware in addition to Antivirus Soft. Please visit one of the recommended forums for malware help and post about your problem.

Antivirus Soft Scareware — Screenshots

Antivirus Soft Scareware — Video

Note: The Antivirus Soft installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 41 comments… read them below or add one }

slim February 7, 2010 at 2:21 AM

i have a problem on my pc that i have and when i try opening anything it opens it in a comand propt and then closes

Reply

alex February 8, 2010 at 3:45 PM

This was very helpful, my mothers computer had messed up. So she came to me, i didn’t have any idea why i was unable to run any .exe or .dll file on her computer. Lucky i had mine, so i found this site and added the cc cleaner and Malwarebytes’ Anti-Malware to a flash drive and fixed this up for her in about 5 mins. Again thanks for detail on info about the software the hackers used. Now to just figure out where she got it from.

Reply

Chris February 9, 2010 at 8:30 AM

Thank you verry much! I had no Idea at all how to fix this and this made me verry happy knowing i didnt have to wipe out everything!

Reply

Don February 9, 2010 at 9:39 PM

This fix worked great for this nasty little bug. The hijacking of the browser proxy settings will drive you nuts at first. Start up in safe mode and remove the browser proxy settings. You will then be able to download the programs mentioned in the fix. Thanks again!!!

Reply

Sarah February 9, 2010 at 11:24 PM

Thank you, I’ll give this a try.

Reply

Judy February 10, 2010 at 1:42 AM

My mother’s computer had this too, I thought I got rid of it once, but it came back 2 weeks later. Didn’t know the thing about turning system restore off and on, so that’s probably why. She sees to have gotten it off myspace

Reply

steve falzon February 10, 2010 at 2:27 AM

Hi, just removing this for a friend, pretty nasty. Another reg key that may have been modified is
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = “yes″

it will have been changed to

“CheckExeSignatures” = “no″

Not sure if the malware does this but it has been changed on the system I’m fixing.

Reply

Matt February 10, 2010 at 8:00 PM

This worked great, I followed the steps as layed out on here and had no issues. Thanks so much! My daughter was on Myspace and next thing you know this nasty virus showed up. This site saved me at least a thousand dollars as I was about to go buy a Mac! I was so frustrated…thanks again.

Matt – Chandler, AZ

Reply

Virna February 11, 2010 at 6:52 AM

This worked perfectly and was pretty easy to do. Thank you very much!

Reply

mike February 12, 2010 at 6:22 AM

I got rid of antivirus soft but now I have no internet options, even in my control panel. Any help is needed . Thanks

Reply

Shanmuga February 12, 2010 at 8:22 AM

The following reg fix unlocks the Homepage, restores all the tabs, removes all IE restrictions including Toolbar restrictions. Save it as a .reg file and click to merge it to your Windows registry. http://windowsxp.mvps.org/reg/IE_reset_restrictions.reg

The Mad Zak February 14, 2010 at 9:29 AM

I got this while browsing a friend’s profile on MySpace. I didn’t intentionally launch any application. I was just listening to music, looking at pictures, and writing messages. This was a pretty nasty one.

Reply

Tony February 14, 2010 at 6:35 PM

I followed the steps above. Download the tools, boot into Windows safe mode, then run Dr.Web CureIt!, it reports that nothing bad was found (??) Then I ran Malwarebytes’ Anti-Malware full scan, same thing, nothing bad found. I have multiple drives on my computer, and I scan all drives. Nothing bad found. When I boot back into normal Windows XP, the Antivirus Soft thing came right back … From the comments above, it seems this is working for many folks, have I done something improper? Please help.

Reply

Shanmuga February 14, 2010 at 10:00 PM

MBAM should be able to clean it. In normal or safe mode can you find the main executable of the scareware that ends with “sysguard.exe” in your Local Settings\Application Data\ folder. The folder is named randomly as can be seen from the example below:

C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\nfjrmn\xlhnsysguard.exe

You may need to enable “Show hidden files,folders and drives” in Folder Options control panel to view the above file and folder.

essence February 15, 2010 at 2:37 AM

im lost . im scanning my computer. can someone help me step by step ?

Reply

Tony February 15, 2010 at 2:57 AM

Yep, those tools didn’t work for me. After searching around on the web and reading everything *carefully*, I tried removing this thing manually. Below are brief descriptions of what I did:

1. Boot into Windows safe mode.
2. Look around in the directory “%UserProfile%\Local Settings\Application Data” for something suspicious. Found the following 272KB file:
F:\Documents and Settings\admin\Local Settings\Application Data\hxtfpd\pfdesftav.exe
3. Also found this:
F:\WINDOWS\Prefetch\PFDESFTAV.EXE-05229DCB.pf
4. Remove the registry entries as described in this article.
5. Remove these two files. Prior to deleting the “.exe” file, I right-clicked on it and select “Scan with MBAM”. Guess what, it returns saying “scan completed successfully, no malicious items were detected”. This is probably the reason why the tool doesn’t work for me …
6. Turn off/on System Restore.

This seems to work for my computer, when I boot back into my normal Windows, that Antivirus Soft thing is gone.

Reply

Jimmy February 17, 2010 at 7:38 AM

Satisfied user here :D !

Reply

dj February 18, 2010 at 11:19 PM

i was hit with this today. malawarebytes partially detected it. thanks for the fix.

Reply

Anonymous February 18, 2010 at 11:31 PM

This worked brilliantly for me thanks so much Safe mode, Spybot, Malware bytes and then system restore and everything in the garden is rosy, good advice fellah

Reply

Leslie February 20, 2010 at 1:05 AM

Can Dr. Web Cure It! be used on a laptop?

Reply

Shanmuga February 20, 2010 at 1:08 AM

Yes.

Leslie February 20, 2010 at 1:48 AM

What does the Ccleaner slim do to the computer? Does it harm any of my personal files or pictures that i have? And when running the Dr.cure it! and the MBAM do i run scan in safe mode?

Reply

Shanmuga February 20, 2010 at 7:10 AM

Run Dr.Web CureIt! and MBAM in normal mode. CCleaner does not touch your personal documents when run with default settings, CCleaner – Features.

Reply

User February 24, 2010 at 5:48 AM

Hello, how are people getting this virus? I received it randomly a few weeks ago while browsing the internet and removed it successfully. However, I was not on Myspace, and is Myspace safe to browse? I have not seen my page for over two weeks because many people on here have claimed to have gotten this from Myspace somehow, and I have been afraid to log on to there for fear of regaining this virus.

Reply

Anonymous March 18, 2010 at 12:31 PM

I’ve been trying to follow these steps, but I can’t download Dr. Web CureIt! on my desktop (the infected computer) or my laptop. I have tried disabling my popup blocker and even my firewall but I’m still unable to download it. Is there any advice on how I can fix this?

Reply

Shanmuga March 18, 2010 at 4:11 PM
Jkelly57 March 22, 2010 at 8:05 PM

I got Antivirus Soft just this morning from browsing youtube. I have the laptop in safe mode & running avg & spybot. Spybot is finding stuff so I hope it gets rid of it completely.

Reply

andy March 25, 2010 at 4:14 AM

Like kelly I got this boring Trojan,”antivirus -taking my patience off” or -soft whatever its called..lol…..I hope I will get rid of it as soon as possible,am also in safe mode & running spyboat,good luck everyone hope we will get this nuisance out of our PCs..
I have spent quite some time & agree with steve falzon,this bug seems to get into many registry files..(bad one actually)..I appreciate if anyone sends me any new useful information .ty & good luck

PS I got the virus in a social network thing I think yahoo…

Reply

Anonymous March 26, 2010 at 3:47 AM

Thanks so much!! I got rid of this annoying problem using your guide here and ZoneAlarm. :)

Reply

AMax March 28, 2010 at 9:30 PM

Why is Malwarebytes not detecting anything??? It’s been scanning for over an hour and NOTHING has been found…while everything is popping up all around it!!!

Reply

marco March 29, 2010 at 5:18 AM

Malwarebytes didn’t work for me, but I luckily stumbled into another fix. Rather than bore you with the details, I will just give instructions that I hope you find helpful:

1) Boot up in standard mode and as soon as Windows starts opening, right-click the bottom toolbar and open up Task Manager. The goal is to open Task Manager before the AntiVirus Soft program loads.

2) Click on the Processes tab and look for a .exe file that ends in “sftav”. Mine was called “erkcsftav.exe”, but I have seen different versions in some of these blogs.

3) Right-click on that file name and select “End Process Tree”. Click “yes” when the Task Manager Warning pops up. This will shut down the AntiVirus Soft program.

4) Right-click “My Computer” and run a search for all files and folders containing “sftav” as all or part of the file name.

5) When the search completes, there should be two results, one for the file itself and one causing it to auto-run on start-up. Mine were in the following locations:

C:\WINDOWS\Prefetch

C:\Documents and Settings\Admin\Local Settings\Application Data\pojgpf
(Note: “Admin” in the path above should be replaced with your normal account name)

6) Delete both of these files and empty the Recycle Bin.

7) Remove the Proxy Settings in Internet Explorer as explained on the page above

8) For good measure, I then ran malwarebytes and ATF Cleaner again (obtained for free at downloads.com) to remove all temp files, etc., and ran another full scan using my regular virus scan software.

9) After running a full virus scan, turn the System Restore settings off and on again as explained in the link on the page above

So far, this appears to have worked. Hopefully it works for you find yourself in a similar situation!

Reply

buffjomo March 29, 2010 at 5:33 AM

Malwarebytes Anit-Malware did find everything and deleted everything with the exception of HKEY_CURRENT\USER\Software\Microsoft\Internet Explorer\Download as mentioned above by Steve. Does anyone know how to get the removed or changed to “CheckExeSignatures” = “yes”? Any advise would be great.

Reply

sammy May 5, 2010 at 1:18 AM

THANKS!!!
microsoft security essentials found the trojan (fakespypro) on computer and removed it, but still left chrome not working…

the part about clearing the proxy info helped me out big time.
chrome wasn’t able to open web pages, but firefox was able to
i cleared the proxy info and now i’m good!

Reply

mir May 9, 2010 at 9:14 AM

So does system restore work in removing this thing because I just did that and the computer seems to be clean :S

Reply

DAN May 13, 2010 at 9:21 PM

I did a system restore on my pc, that was two days ago and no sign of this ultra annoying maleware.. It is so crazy that a XXXX company can do this to us, I would trash my new pc and start over before giving them 50.00

Reply

Scott B. May 19, 2010 at 3:23 AM

None of this is working. I cannot get into the registry let alone go into Safe mode. Every time I try to do something it says “”"”.exe is infected. What’s next?

Reply

Shanmuga May 19, 2010 at 8:24 AM

See if safe mode trouble shooting helps. MBAM when run in safe mode should remove this infection. If it does not work, you might want to post about your problem in one of the recommended forums for malware help.

Beth May 28, 2010 at 12:06 PM

This really did work, after trying about four other sites and “fixes”. THANK YOU!!!!!!!!!!

Reply

Lisa August 26, 2010 at 6:23 AM

I cant download Dr Web Cure it. I’m not sure what to do. Maybe I’ll try Marco’s steps?

Reply

Lisa August 28, 2010 at 2:31 AM

I got rid of it (I think) by following the steps that tony outlined above.
Thank you!
I ran malwarebtes and CCleaner, too.
I cant get connected to the internet, though and I dont know why. Any suggestions?

Reply

Jake September 13, 2010 at 6:18 PM

Hey, I got rid of it too, Thanks it worked.
Dr.Web CureIt! found it but couldn’t delete it. So it saved it and I had to go back and delete it.

Reply

Leave a Comment

{ 1 trackback }

Previous post:

Next post: