Antivirus Soft belongs to the family of Antivirus Live. Once installed it completely takes over the system, aggressively displays a variety of fradulent alerts about non-existent malware and infiltration attempts. This scareware installs the Fake Windows Security Center where all the links lead to the payment page for Antivirus Soft. Hijacks Internet Explorer and automatically opens a specific set of porn websites every few minutes. Internet Explorer is allowed to visit only the sites relate to this rogue security software. This is achieved by modifying the proxy settings of the Internet Explorer.
This scareware blocks execution of most of the programs. Firefox was able to open and browse the Web normally.
A rogue security software such as Antivirus Soft belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
Antivirus Soft Aliases
This scareware is known by the following aliases:
Typical Antivirus Soft Scare Messages
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan you computer. Your system might be at risk now.
Vulnerabilities found. Your computer is infected by spyware – 34 serious threats have been found while scanning your files and registry. It is strongly recommended that you disinfect your computer and activate realtime secure protection against future intrusions.
Infiltration alert. Virus Attack. Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper or similar.
The trojan downloader was named 6507f.exe and is about 279296 bytes in size. It is detected by 12/39 (30.77%) of the anti-virus engines available at VirusTotal.
Antivirus Soft Associated Files and Folders
- C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\nfjrmn\xlhnsysguard.exe
File and folder names are randomly generated.
Antivirus Soft Associated Registry Values and Keys
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = “.exe”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = “1″
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:5555″
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1″
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “”
Antivirus Soft Associated Domains
This scareware was observed accessing the following domains during installation and operation:
Note: Visiting the domains mentioned above may harm your computer system.
Antivirus Soft Removal (How to remove Antivirus Soft)
Boot in to Windows Safe Mode with networking and use an alternate browser like Firefox or Chrome to download and Install following free applications or from a clean computer download and copy them to a USB flash drive:
- Ensure that your system is in Windows Safe Mode
- Dr.Web CureIt! comes in randomly named file to evade identification by malware. Click to open, Since you are supposed to use this on a home PC, Click Cancel and then click Start and OK to start a express scan. Once the scan is complete Click Yes to restart.
- Install MalwareBytes’s Anti-Malware, Open and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. Restart to complete the removal process. Some of the registry entries may need to be manually deleted.
- Turn System Restore off and on.
- Install, scan and clean the temporary files with CCleaner.
If you find the Internet Explorer is still being re-directed to the scareware website, remove the proxy settings as follows:
Open Internet Explorer, Click Tools menu and then click Internet options or open Internet options via control panel. In the Internet Options window, select the Connections tab. In the Connections tab, click on LAN settings.
In the Local Area Network (LAN) Settings window, click Advanced and clear the proxy address 127.0.0.1 and port 5555. Click Yes and OK your way out.
You should now be clean of this rogue.
If you are unable to get rid of this scareware, you may have other malware in addition to Antivirus Soft. Please visit one of the recommended forums for malware help and post about your problem.
Antivirus Soft Scareware — Screenshots
Antivirus Soft Scareware — Video
Note: The Antivirus Soft installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.