Antivirus Soft Analysis and Removal
February 5, 2010 by Shanmuga
Filed under Featured, Rogue Security Software, spyware removal
Antivirus Soft belongs to the family of Antivirus Live. Once installed it completely takes over the system, aggressively displays a variety of fradulent alerts about non-existent malware and infiltration attempts. This scareware installs the Fake Windows Security Center where all the links lead to the payment page for Antivirus Soft. Hijacks Internet Explorer and automatically opens a specific set of porn websites every few minutes. Internet Explorer is allowed to visit only the sites relate to this rogue security software. This is achieved by modifying the proxy settings of the Internet Explorer.
This scareware blocks execution of most of the programs. Firefox was able to open and browse the Web normally.
A rogue security software such as Antivirus Soft belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
Antivirus Soft Aliases
This scareware is known by the following aliases:
- Trojan.Win32.FakeSpypro!IK
- Win32.RogueSysGuard
- Win32/SystemGuard2009.CH
- Rogue:W32/SysGuard.AD
- Trojan.Win32.FakeSpypro
- FakeAlert-SpyPro.gen.a
Typical Antivirus Soft Scare Messages
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan you computer. Your system might be at risk now.
Vulnerabilities found. Your computer is infected by spyware -- 34 serious threats have been found while scanning your files and registry. It is strongly recommended that you disinfect your computer and activate realtime secure protection against future intrusions.
Infiltration alert. Virus Attack. Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper or similar.
The trojan downloader was named 6507f.exe and is about 279296 bytes in size. It is detected by 12/39 (30.77%) of the anti-virus engines available at VirusTotal.
Antivirus Soft Associated Files and Folders
- C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\nfjrmn\xlhnsysguard.exe
- C:\WINDOWS\Prefetch\XLHNSYSGUARD.EXE-37237EBB.pf
File and folder names are randomly generated.
Antivirus Soft Associated Registry Values and Keys
- HKEY_CURRENT_USER\Software\avsoft
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlmhkwlw
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlmhkwlw
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = “.exe”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = “1″
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:5555″
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1″
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “”
Antivirus Soft Associated Domains
This scareware was observed accessing the following domains during installation and operation:
http://newsoftspot. com
Note: Visiting the domains mentioned above may harm your computer system.
Antivirus Soft Removal (How to remove Antivirus Soft)
Boot in to Windows Safe Mode with networking and use an alternate browser like Firefox or Chrome to download and Install following free applications or from a clean computer download and copy them to a USB flash drive:
- Ensure that your system is in Windows Safe Mode
- Dr.Web CureIt! comes in randomly named file to evade identification by malware. Click to open, Since you are supposed to use this on a home PC, Click Cancel and then click Start and OK to start a express scan. Once the scan is complete Click Yes to restart.
- Install Malwarebytes’ Anti-Malware, Open and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. Restart to complete the removal process. Some of the registry entries may need to be manually deleted.
- Turn System Restore off and on.
- Install, scan and clean the temporary files with CCleaner.
If you find the Internet Explorer is still being re-directed to the scareware website, remove the proxy settings as follows:
Open Internet Explorer, Click Tools menu and then click Internet options or open Internet options via control panel. In the Internet Options window, select the Connections tab. In the Connections tab, click on LAN settings.
 |
 |
In the Local Area Network (LAN) Settings window, click Advanced and clear the proxy address 127.0.0.1 and port 5555. Click Yes and OK your way out.
You should now be clean of this rogue.
If you are unable to get rid of this scareware, you may have other malware in addition to Antivirus Soft. Please visit one of the recommended forums for malware help and post about your problem.
Antivirus Soft Scareware — Screenshots
Antivirus Soft Scareware — Video
Note: The Antivirus Soft installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.
i have a problem on my pc that i have and when i try opening anything it opens it in a comand propt and then closes
This was very helpful, my mothers computer had messed up. So she came to me, i didn’t have any idea why i was unable to run any .exe or .dll file on her computer. Lucky i had mine, so i found this site and added the cc cleaner and Malwarebytes’ Anti-Malware to a flash drive and fixed this up for her in about 5 mins. Again thanks for detail on info about the software the hackers used. Now to just figure out where she got it from.
Thank you verry much! I had no Idea at all how to fix this and this made me verry happy knowing i didnt have to wipe out everything!
This fix worked great for this nasty little bug. The hijacking of the browser proxy settings will drive you nuts at first. Start up in safe mode and remove the browser proxy settings. You will then be able to download the programs mentioned in the fix. Thanks again!!!
Thank you, I’ll give this a try.
My mother’s computer had this too, I thought I got rid of it once, but it came back 2 weeks later. Didn’t know the thing about turning system restore off and on, so that’s probably why. She sees to have gotten it off myspace
Hi, just removing this for a friend, pretty nasty. Another reg key that may have been modified is
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = “yes″
it will have been changed to
“CheckExeSignatures” = “no″
Not sure if the malware does this but it has been changed on the system I’m fixing.
This worked great, I followed the steps as layed out on here and had no issues. Thanks so much! My daughter was on Myspace and next thing you know this nasty virus showed up. This site saved me at least a thousand dollars as I was about to go buy a Mac! I was so frustrated…thanks again.
Matt – Chandler, AZ
This worked perfectly and was pretty easy to do. Thank you very much!
I got rid of antivirus soft but now I have no internet options, even in my control panel. Any help is needed . Thanks
The following reg fix unlocks the Homepage, restores all the tabs, removes all IE restrictions including Toolbar restrictions. Save it as a .reg file and click to merge it to your Windows registry. http://windowsxp.mvps.org/reg/IE_reset_restrictions.reg
I got this while browsing a friend’s profile on MySpace. I didn’t intentionally launch any application. I was just listening to music, looking at pictures, and writing messages. This was a pretty nasty one.
I followed the steps above. Download the tools, boot into Windows safe mode, then run Dr.Web CureIt!, it reports that nothing bad was found (??) Then I ran Malwarebytes’ Anti-Malware full scan, same thing, nothing bad found. I have multiple drives on my computer, and I scan all drives. Nothing bad found. When I boot back into normal Windows XP, the Antivirus Soft thing came right back … From the comments above, it seems this is working for many folks, have I done something improper? Please help.
MBAM should be able to clean it. In normal or safe mode can you find the main executable of the scareware that ends with “sysguard.exe” in your Local Settings\Application Data\ folder. The folder is named randomly as can be seen from the example below:
C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\nfjrmn\xlhnsysguard.exe
You may need to enable “Show hidden files,folders and drives” in Folder Options control panel to view the above file and folder.
im lost . im scanning my computer. can someone help me step by step ?
Yep, those tools didn’t work for me. After searching around on the web and reading everything *carefully*, I tried removing this thing manually. Below are brief descriptions of what I did:
1. Boot into Windows safe mode.
2. Look around in the directory “%UserProfile%\Local Settings\Application Data” for something suspicious. Found the following 272KB file:
F:\Documents and Settings\admin\Local Settings\Application Data\hxtfpd\pfdesftav.exe
3. Also found this:
F:\WINDOWS\Prefetch\PFDESFTAV.EXE-05229DCB.pf
4. Remove the registry entries as described in this article.
5. Remove these two files. Prior to deleting the “.exe” file, I right-clicked on it and select “Scan with MBAM”. Guess what, it returns saying “scan completed successfully, no malicious items were detected”. This is probably the reason why the tool doesn’t work for me …
6. Turn off/on System Restore.
This seems to work for my computer, when I boot back into my normal Windows, that Antivirus Soft thing is gone.
Satisfied user here
!
i was hit with this today. malawarebytes partially detected it. thanks for the fix.
This worked brilliantly for me thanks so much Safe mode, Spybot, Malware bytes and then system restore and everything in the garden is rosy, good advice fellah
Can Dr. Web Cure It! be used on a laptop?
Yes.
What does the Ccleaner slim do to the computer? Does it harm any of my personal files or pictures that i have? And when running the Dr.cure it! and the MBAM do i run scan in safe mode?
Run Dr.Web CureIt! and MBAM in normal mode. CCleaner does not touch your personal documents when run with default settings, CCleaner – Features.
Hello, how are people getting this virus? I received it randomly a few weeks ago while browsing the internet and removed it successfully. However, I was not on Myspace, and is Myspace safe to browse? I have not seen my page for over two weeks because many people on here have claimed to have gotten this from Myspace somehow, and I have been afraid to log on to there for fear of regaining this virus.