Your computer is infected with malicious software? Do you have popups on your PC?
If so, search this blog for removal instructions or find computer threats by category.

Saturday, January 30, 2010

How to remove "Antivirus Soft" fake security program? (Uninstall guide)

Tell your friends:
Antivirus Soft is a fake anti-virus program that is usually distributed through the use of fake online anti-malware scanners and various other bogus websites. Actually it's a Trojan virus, but it shows up as anti-virus software and even pretends to be a legitimate one. Antivirus Soft is a scareware or badware from the same family as Antivirus Live. Once installed, it simulates a system scan and gives a list of false computer threats or infections just to make you think that your computer is seriously compromised. The scan results are absolutely false, so don't worry. The only real infection is Anti-virus Soft itself. It will constantly ask you to purchase the program in order to remove the infections and to protect yourself.



Antivirus Soft video: (http://www.youtube.com/watch?v=LYHXOkRlOdM)


Screenshot of newsoftspot.com


This virus doesn't delete any files; your data should be safe. The main goal of this bogus software is to trick you into purchasing it, so please don't do that. If you already did, then contact your credit card company immediately and dispute the charges. Then removal Antivirus Soft from your computer as soon as possible and don't make any online payments while you’re infected. Read the removal guide below.

Antivirus Soft Demo virus is a very annoying scam,  it will display fake security alerts and error messages stating that particular software or web page is infected like every one or two minutes. The fake message reads:

"Application cannot be executed. The file [program].exe is infected.
Do you want to activate your antivirus software now." 


The biggest problem is that AntivirusSof won't let you to download or install legitimate anti-malware software. You can try to remove it manually, but I think it will block Task Manager and other useful Windows tools to stop you. Instead try to restore your system to a previous day when your PC wasn't infected or read the removal guide below.


Antivirus Soft removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
If you can't reboot your PC in Safe Mode with Networking, download SafeBootKeyRepair and run it. Follow the prompts. Then reboot your PC in Safe Mode with Networking. (Before saving SafeBootKeyRepair.exe onto your computer, please rename it to winlogon.com or iexplore.com)

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.


Alternative Antivirus Soft removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for similar entries in the scan results:
O4 – HKLM\..\Run: [mxdeorsw] C:\Documents and Settings\User\Local Settings\Application Data\rmqwne\lkwcsysguard.exe
O4 – HKCU\..\Run: [mxdeorsw] C:\Documents and Settings\User\Local Settings\Application Data\rmqwne\lkwcsysguard.exe
O4 – HKCU\..\Run: [wdpayrmq] C:\Users\Owner\AppData\Local\rtpoma\rewqsftav.exe
O4 – HKCU\..\Run: [kgtrlpor] C:\Users\Owner\AppData\Local\mfkrtl\oprgsftav.exe
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555


The process name will be different in your case. But it has the same structure: [RANDOM]sysguard.exe or [RANDOM]sftav.exe 

Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.


Antivirus Soft associated files and registry values:

In Windows XP:
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\[random]sysguard.exe
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\[random].exe
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\[random]sftav.exe
In Windows Vista & 7:
  • C:\Users\[Username]\AppData\Local\[random]\[random]sysguard.exe
  • C:\Users\[Username]\AppData\Local\[random]\[random]sftav.exe
By default "Appdata" folder is hidden. To unhide this folder (and others), open the Folder Options in the Vista Control Panel, and on the “View” tab, change the option to “show hidden files and folders”, and click ok.

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:5555"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
  • HKEY_CURRENT_USER\Software\avsoft

Share this information with other people: 

327 comments:

«Oldest   ‹Older   1 – 200 of 327   Newer›   Newest»
Anonymous said...

Thank you so much for posting this fix. I was infected 01/29/10. Minimal information on line about this new threat. Problem resolved once I found your post on 01/30/10. SpyBot worked successfully. Thanks again.

Anonymous said...

Another round of thanks for this timely post. It proved to be extremely valuable in returning my Windows XP system back to a "normal" state. My system became infected on 01/30/10. Would love to know where in the world I picked up this nasty virus so I could inform friends and family about what and where to avoid. Many Thanks!!!

Anonymous said...

This was a lifesaver. just as the last poster said, i was infected with this yesterday and couldnt find much about how to fix it until i found this. you saved me from having to take my computer somewhere and have someone else fix it for probably way too much money...so im very grateful!

Mikayla said...

I have a Dell Inspiron 6400, and I can't find a way to rename the files before I save them. It just says something along the lines of "(blank) can be downloaded. Would you like to save this file?" and it won't let me rename it until it is already saved in my dock..any help?

Anonymous said...

Mikayla, then just rename it as it's alredy saved. Maybe that will be OK in your case. Or if you have another computer, then you can transfer the renamed file to infected PC using USB flash drive or any other external media.

Anonymous said...

Thank you so much sir! You should be praised for your knowledge. I got infected 01/31/10 and now I can have relief. Thanks again.

Anonymous said...

How can I download when I'm in safe mode. I'm not able to connect to the Internet after i've unchecked the LAN proxy box.

Anonymous said...

Thank you! This worked perfectly.

Admin said...

Reboot in "Safe Mode with Networking" as shown in the image above. You have probably rebooted it in "Safe Mode" only. And buy the way, you can use another browser if you have, for example Firefox, Chrome or Opera.

Anonymous said...

I've booted it up in safe mode and in safe mode with networking and it gives me the same screen for both. It asks me if I want to restore my system to an earlier time or proceed in safe mode with the safe mode with networking or regular safe mode.

Admin said...

Try to restore your system. In some cases that works perfectly.

Anonymous said...

I'm infected and I printed out the removal instructions our problem is we already have the malware downloaded and the antivirus soft will not let us open it what should we do...

Anonymous said...

Restoring the system took care of the problem, thank goodness! Thanks for your help and quick responses! Nothing is worse than not knowing how to fix your computer when you have lots of research and lab reports.

Admin said...

"I'm infected and I printed out the removal instructions our problem is we already have the malware downloaded and the antivirus soft will not let us open it what should we do..."

If you can't run MalwareBytes then download Spybot S&D. NOTE: you have to rename spybotsd162.exe to either iexplore.exe or winlogon.exe before saving it on your PC. And you are in safe mode with networking, right?

Anonymous said...

Thank God for this! Was going out of my mind trying to get rid of the damned thing. I got it on Friday night and this was the only site i found that knew anything about it. THANK YOU!!

Anonymous said...

This virus is coming off of Myspace or Facebook. I got rid of it yesterday and my wife just got back on Facebook and Myspace and I got it again.

Anonymous said...

Must be a facebook related malware. Not a lot of info on this one, but what an annoying software. Thank you so much for the post malwarebytes worked great.

Anonymous said...

I got it right after visiting Myspace

Anonymous said...

yesss the FB has infected us all. 31/01/2010

Anonymous said...

I have fixed the problem but my internet is still not on.

Anonymous said...

this is from my space as its the only site i went too to check out my kids my space page..i am unable to reboot in safe mode w networking so i put it into ful safe mode to even be able to run any scan. hoping to remove this pest before my husband wakes up and realises ive infected his quad..figures couldnt be my piece of crap old dell had to be his new baby..i sure am hoping this works...stay away from my space as this is a nasty one

Anonymous said...

i've tried to remove it using malwarebytes but is not working for me..... i ran the program and does not identify "antivirus soft", it was able to identify other malware that i had but not the one i want to remove, i ran it on safe mode and on normal mode but still not working, what should i do?? should i download spybot? please reply

Anonymous said...

My girlfriend got the AntiVirus Soft at school today after being on myspace/facebook. I had been working on it for hours until finding this site. I ran SpyBot while in safe mode with networking, but it didnt find anything. But doing a System Restore seems to have done the trick *fingers crossed*. Thanks for the help!

Admin said...

Yes, download Spybot. You may also use SUPERAntispyware. However, as far as I know, Malwarebytes detects this virus. Are you sure that MalwareBytes is updated?

Anonymous said...

hey, first of all thanks for your description but I can't solve the problem because I'm not getting in the safe mode. Every time I try to start in safe mode the pc automatically powers down. Any solutions for that?

Anonymous said...

danng, this was really so helpful for that annoying false antivirus software
just happened about an hour ago and seen this site and it really helped out! if this site let you rate this, i'll give it all stars!

Anonymous said...

Just a little update to this. I may have got a new version of it but it renamed itself when I was looking for it in HijackThis.

It ended up being 04 - HKCU\..\Run: [RANDOM] C:\Documents and Settings\user\Local Settings\Application Data\asoksd\[RANDOM].exe

Anonymous said...

I got it yesterday by visiting myspace. I've run Ad-Adware,Ccleaner and Malwarebyte with no luck. This is the first time I've heard of spybot so I guess I'll have to try that one went I get back home. I'll also try downloading in safe mode cause right now I'm just unchecking proxy setting and getting to the download site very quickly before antivirus soft takes over. Usually takes several trys.

This is the second time I've gotten this same virus from myspace! First time I stayed up all night screwing with internet settings in order to reconnect to internet explorer. I have totally forgotten what I did that night so guess I'll just try the spybot.

Anonymous said...

Hallo this site was very helpfull for me, but I found something very interesting besides,
because all tools didn't work for me on XP
---> look out for a file called "iawbsftav.exe" inside your system:
Local%20Settings\Application%20Data\nnayfv\iawbsftav.exe/alert.htm

after removing it (in secure mode), false "antivrus soft" alerts/attacs disappear!
Check it out!

Admin said...

Thank you. Removal instructions updated! It seems like the rogue program can disable Safe Mode with Networking. That's probably because it removes "SafeBoot" registry keys from Windows registry. In order to fix this problem you have to download SafeBootKeyRepair tool from

http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe

NOTE: before saving the selected program onto your computer, please rename SafeBootKeyRepair.exe to winlogon.exe or iexplore.exe.

Run this tool first and then reboot your PC in Safe Mode with Networking. Good luck!

Anonymous said...

My wife got the Antivirus Soft problem from Facebook. We tried Malwarebytes and Spybot S&D, but neither fixed it. Finally did a system restore from 2 days ago to fix it. So far, so good.

Anonymous said...

I ran spybot in safe mode and it found the malware and removed it. When I rebooted in normal mode and ran spybot it did not find it but the malware is still on computer as it keeps popping up. Any suggestions what to do next.

Anonymous said...

I'm using XP and do not have a restore point unless it is saved somewhere automatically. I have also tried to use Hijack this and of no vail. Any suggestions at this point would be great my computer has been down for three days now.

Anonymous said...

I followed the instructions exactly, ran malware in safe mode too, i removed it, but when i'm starting again in normal mode the virus is still alive,
i'm using XP..I tried the removing also with spybot, avg and SUPERantispyware, but everytime the same problem...does anyone know what do to?

Admin said...

Probably it's a new version of this virus. I don't have a sample and can't test it. I guess we just have to wait until anti-malware software manufacturers will add new malicious files in their databases. And remember, you MUST update anti-malware before scanning your computer.

Anonymous said...

Im having a similar problem. Malware bytes and the other scans I've used dont even see it. I hope someone figures this out soon because this is annoying.

Theodore said...

I got this too, I haven't been able to pick it up with Malbytes! :(

Anonymous said...

I'm confused. You say to fix files which are similar to the four listed. Similar is a very vague term... All of them are somewhat similar.

Anonymous said...

i got this annoying virus after i visited facebook. i was going crazy trying to finnd out how to get rid of it. thanks for the help

Anonymous said...

For anyone trying to remove this, it might help if you ctrl alt del and go to your processes. From there, sort them by memory with the highest at the top. Google search each one until you come across one that has no google return (for me it was "dhogsftav"), then end that process. This will help your spyware discover the virus!

Admin said...

"I'm confused. You say to fix files which are similar to the four listed. Similar is a very vague term... All of them are somewhat similar."

O4 – HKCU\..\Run: [RANDOM] C:\Documents and Settings\user\Local Settings\Application Data\asoksd\[RANDOM].exe

Your entry has to be exactly the same, but note that [RANDOM] part will be unique in your case.

The last two has to be exactly the same.

Thablaqkgoat said...

There is a way to open programs. When you log on, hit ctrl+alt+delete and the task manager will open before Antivirus Soft does, and you can close the program. In the processes section, look for hpisstfav.exe or something close to that (I don't remember exactly, but the 'hpiss' is accurate) and end the process. Then you can open and work freely without the numerous interruptions it causes.

Anonymous said...

Alternative Antivirus Soft removal instructions using HijackThis (in Normal mode):

1. Download HijackThis (NOTE: rename HijackThis.exe to iexplore.com before saving it to desktop). Launch the iexplore.com and click "Do a system scan only" button.

cant do this operation at my computer even tough im using an usb renaming it before saving I still get that pop up that I cant open the file.

Anonymous said...

There is a way to open programs. When you log on, hit ctrl+alt+delete and the task manager will open before Antivirus Soft does, and you can close the program. In the processes section, look for hpisstfav.exe or something close to that (I don't remember exactly, but the 'hpiss' is accurate)

got something called hpqwim.exe or someting removed it 2 times before the loadscreen is done and it still pops up

Anonymous said...

yesterday, i got infected with xp guardian and used malwarebytes to get rid of it, and it worked. this time, i got infected with antivirus soft, and tried the instructions here (safe mode with networking), and ran a quick scan. However, malwarebytes only indicated one infected file, and when i restarted my computer, the antivirus soft was still here with all of its annoying popups. what can i do?? it wont let me run command, open notebook, etc...

Anonymous said...

Thanks man , i use Hujack this and its worked

Anonymous said...

I got infected toeday and what I did was I logged in safe mode with networking and restored my system to a date one week before. It's not gonna delete any files but just changes in the registry and downloads so it would remove programs such as Antivirus Soft etc. I didn't need to download any other programs to remove the spyware/malware so I think this is a safer route.

Anonymous said...

What can I do to prevent this from happening again? I got this virus from myspace and previously another similar one.

Anonymous said...

My work laptop got infected today and when I try to start the computer in safe mode with networking it is just frozen at my log in screen. I've tried all the suggestions I've found here and I'm still stuck with this virus. Does anyone have any suggestions!!????

Anonymous said...

Oh my god!!!! This helped me get rid of that stupid fake antivirus software!!! After almost 3 hours of screaming at the computer, out of frustration, i finally got rid of it! Thank you for this who ever you are that posted!

Anonymous said...

got infected. did the f8 thing to get into safe mode with networking. couldnt run superantispyware in this mode.. spybot didnt work.. need help

Admin said...

"What can I do to prevent this from happening again? I got this virus from myspace and previously another similar one."

First of all you must have an anti-spyware or anti-virus softare with real time protection. Free anti-malware scanner such as MalwareBytes is not enough. If you don'thave one then most likely your PC will be infected again. I recommend software that has good 0Day Malware blocking and detection rates. That would be:

-Kaspersky Internet Security 2010
-ESET Smart Security
-PC Tools Internet Security 2010

Admin said...

For those of you who can't start their PCs is Safe Mode with Networking please you SafeBootKeyRepair first. Just read 1st step carefully.

Anonymous said...

Spybot is not exposing any issues. I renamed spyname.exe to iexplorer.exe (no *162.exe in my spybot folder) to see if that'll work. I was able to install MalwareBytes and it found quite a few problems when I said "fix" it said "pay money." Is that what everyone else is doing? I'm a little suspect when money is requested....?

Admin said...

No, MalwareBytes should be free. Does anyone else had to buy MalwareBytes? That's very stange. Try to download it from official website:

http://malwarebytes.org/

I will have to remove MalwareBytes from the list if such problem repeats.

Anonymous said...

I was attempting the normal login removal instructions and ran the hijack this and killed the two entries i had that matched. Now my malwarebytes freezes when I attempt to do a full system scan (though the program will launch).

Admin said...

Maybe there are more malcious entries in HijackThis scan results that need to be fixed. Also you may try another software, SUPERAntispyware or Spybot.

There is also a free version of Spyware Doctor on Google Pack website.

http://pack.google.com/intl/en/pack_installer.html

Anonymous said...

How does one go about renaming Spybot?

Anonymous said...

ok i didnt the whole safe mode and downloaded Super antivirus, but now it just says "the system administrator has set policies to prevent this installation

Anonymous said...

Thanks for this really helpful forum! Even when updated and in safe mode spybot didn't detect the problem but malware bytes did and it removed it. I would also suggest that people run a search for "sftav.exe" in their hijack this logs, click on the correct entry, and then fix the checked entry.

Anonymous said...

Thank you very much for this information, I just used an updated Malwarebytes from the instructions above and it worked perfectly

Anonymous said...

What happens if you get the Antivirus soft virus and you already have an avti-virus program on your computer. I just got the virus last night while on myspace but i already have norton 360. Anyway, I just did a system restore to 3 days back then did a complete scan and that seemed to work. Oh, is myspace of facebook doing anything about this virus?

Anonymous said...

i followed these steps on rebooting my computer and tried going through safe mode but then my computer just shut down. I then downloaded the safebootkey repair but i cannot open it because of the antivirus soft won't let me open many programs or do much at all, it tells me everything is infected and doesn't let me open things. so now what?

Anonymous said...

Here's what I did since I couldn't get into safe mode...Restart your computer, and as soon as windows starts, begin to hit the start button, then "run." If you do it quick enough you can open "run" before the antivirus soft starts up. Type "msconfig". Then go to the startup tab and disable all services. Restart the computer. Of course, the virus is still there, but you can now get online to download one of the antivirus programs to fully remove it. Good luck. Sean

Anonymous said...

I "Restored System" (Start>All Programs>Accessories>System Restore) to a previous date in "Safe Mode With Networking" and it worked like a charm. I didn't lose anything important ("anything important"=music), a couple of documents, and other stuff I had before the Malware. But I'm guessing that the results I got with my files aren't typical for everyone. I got this Malware today after I restarted my computer when I logged onto Myspace earlier so that may be the cause as other posters have stated. My sister logged on Myspace after I removed it so I'll see tomorrow if I get it again when I get in again (using my iPhone by the way).

The easiest way is the System Restore for all my lazy people out there haha.

Anonymous said...

I'm having some trouble opening up the scanners you recommend. It seems to be that any spyware programs I've had in the past won't open, and any new programs will work once. Any ideas why this might be so and how to stop it so I can remove this problem?

Anonymous said...

This thing BITES. I can run in safe mode, and I've done scans with updated Malwarebytes and with Spybot S&D. They find a few things and fix them, but it's still there if I restart in normal mode. Each scan takes almost two hours, and I still can't use my machine properly. I haven't been THIS hosed since MSBlast was brand new. I don't want to use System Restore.

I hope someone comes up with a stinger for just this, because as far as I can tell, it really went widespread in the last few days.

Anonymous said...

Got it through Photobucket last night. Blocks Malwarebytes from updating. Seems it blocks system restore, as well.

Anonymous said...

I've tried both Malwarebytes (didn't detect) and SpyBot (won't even run, eve in Safe mode). Also, I can't get to the internet in Safe Mode with Networking. I tried the safebootkeyrepair file, but when I try to run it, it says its only supported by XP and 2000 (I have Vista). Also, the system restore tip won't work. Does anyone have any other suggestions? Thanks in advance.

Admin said...

Yet another very simple tip, but may actually help I think. In Windows XP check these folders:

C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\

C:\Documents and Settings\All Users\Local Settings\Application Data\[random]\

In these folders you will find either [random]sftav.exe or [random]sysguard.exe file.
Rename that file to something like aaabbb.exe and restart your PC. There is a chance that Antivirus Soft won't load up.

In Windows Vista and 7 go to these folder and do the same:

C:\Users\[Username]\AppData\Local\[random]\

NOTE: By default these folder are hidden. To unhide these folder (and others), open the Folder Options in the Control Panel, and on the “View” tab, change the option to “show hidden files and folders”, and click ok.

Anonymous said...

I did as Admin suggested above and deleted the file in said folders. I restarted and Antivirus Soft did not load up. Does this completely fix the problem? or does it just stop the pop-ups? Right now this is the only solution that works for me. I've tried all the others. Malwarebytes and Superantivirus wont get rid of it.

So, is the virus still a threat to my system using this method?

Anonymous said...

I did a system restore to get rid of the virus but i still want to download malware bites, just to make sure, but i already have norton 360. will the two conflict each other because norton detected no virus after the restore (w/ a full system scan).

Admin said...

Removing Antivirus Soft files doesn't completely fix the problem. You should still scan your computer with an anti-malware application. Try free version of Spyware Doctor.

http://pack.google.com/intl/en/pack_installer.html

----------------
Norton 360 and MalwareBytes probably won't conflict with each other, so you can use.

Anonymous said...

Hi there! Your help came in REALLY handy when this stupid AV soft crap took over my PC.
Questions though; 1) Clearly the lines of code changed, the names were different which creeps me out that there are other strings of code that are still there in my pc. But at least the cheesy ads and the endless warnings have stopped.
2}In Hijack This, I clicked on "analyze this" button. I know you didn't say too, but Hijack this instructions on the their menu said to analyze before deleting. Where did the log file get uploaded to? who got all that info?
Thank you!

Admin said...

1) Just scan your PC with MalwareBytes or SUPERAntipsyware to make sure that your computer is clean now.

2) No one got your log file. "analyze this" button redirects to Trend Micro website with further instructions where you can upload you scan log. It doesn't upload the log file automatically. Don't worry!

Anonymous said...

Also I am very curious how I acquired this AV soft virus. I am usually very careful. Someone said they got it on myspace. How does that happen? I was just on myspace the night before updating my blogs.

Anonymous said...

THANK YOU SO MUCH FOR THIS.
TOTALLY WORKED

Anonymous said...

Thank you very much!!! I was infected and all i can do was use the internet and restart my computer. This computer doesn't belong to me. So you really saved me. One thing i like to know is where did this virus come from?

Anonymous said...

Thank you so much!!

Anonymous said...

Hi there I'm having the same issue like everyone else is having. And I tried Malwarebytes and it found 6 items in my computer, but when I reboot it nothing happened. The virus is still there.. did I do something wrong? Cause I got spybot and I download HiJackThis and when I did scan only some much stuff pulled up. I don't want to delete anything that I'm unsure about so like when using HiJackThis, what are you suppose to delete from it and stuff. I'm so new to this and I don't want to make matters worst. Some help please cause this is annoying having this thing on my computer =/

Admin said...

In HijackThis fix only there lines:

O4 – HKCU\..\Run: [random] C:\Documents and Settings\user\Local Settings\Application Data\[random]\[random]sftav.exe
O4 – HKCU\..\Run: [random] C:\Documents and Settings\user\Local Settings\Application Data\[random]\[random]sysguard.exe
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O17 – HKLM\System\CCS\Services\Tcpip\..\{FB4A8652-066F-4D0A-8FEE-BEFF869D51BB}: NameServer = 193.104.110.38,4.2.2.1,192.168.1.1

Don't fix any other lines.

Anonymous said...

i did this
&& when i went to safe work with networking
and all it did was show up some blue page with writing and it told me to do deh same thing over but it dont work it dont sta yin safe mood

Anonymous said...

I found 2 files in my pc that stopped the alerts.

The name was: tivmsftav.exe

That name was in my C:\WINDOWS\Prefetch
and an application in c:\Documents & Settings under local settings/Application Data

Anonymous said...

Thank you so much, Spybot worked perfectly and got rid of my problems. now i can actually use my computer

Anonymous said...

None of the above solutions was working for me, so here's what I did:

Windows XP Media: I turned on pc in normal mode, hit ctrl alt delete to pull up the Task Mgr before the alerts started and watched the processes. I looked to see what was changing at the point the alerts came on. Didn't catch it exactly but noticed this one: tivmsftav.exe looked it up on Google, couldn't find info on it, so I ended the process. Within a few seconds all the fake alerts disappeared. Then I did a Search for tivmsftav.exe and deleted it. It was in c:\WINDOWS\Prefetch and in App Data under ggryoc\tivmsftav.exe in the Doc & Settings.

I'm not a techie, but so far this is working for me. I deleted a bunch of other stuff in App Data that I looked up on Google to discover if malware related or not. There may be more crap in my pc, but I'm rid of the alerts at least and everything seems to be running ok, even after restarting in normal mode.

Thanks to everyone here trying to help each other. Without your hints and clues I never would have found a solution. I hope this helps somebody. Or if I really screwed up, somebody please say it so nobody else follows in my ignorant footschteps, footschteps, footschteps!

Anonymous said...

Thanks!

A system restore solved my problem; booting in safe mode wasn't necessary.

James said...

I couldn't restart in safe mode with networking, downloaded HijackThis but it wouldn't open, and I couldn't find any direct matching file names as listed above.

I restarted again (for about the 5th time today), to try the ctl+alt+delete trick and end the process, but this last time I started up I got no pop-ups or anything.

However, now that I look in my application data I find a folder titled "yqachx", and within that folder there is an .exe program titled "blsjsftav". The properties shows that this folder was created today at 10:58 am, right about the time I started having problems (I was on photobucket around this time). Do I just delete this file/program or what do I do from this point?

Also, there is also a folder titled "mqeueo" but it is empty. Should I delete this too?

I've had a lot of problems with malware recently. A couple weeks ago I got "Internet Security 2010" and had to take it to a shop to get cleaned/fixed for $60 bucks. Then a few days ago I got XP Guardian and (thankfully) fixed it with the help of this site. And now this stupid Antivirus Soft..

Anonymous said...

Thanks for the timely instructions. I had already tried using a scan with malwarebytes to no avail. After booting in normal mode, I was not able to use system restore. So I rebooted in safe mode logging in with the same identity and the restore was successful. Excellent advice. I use Avast antivirus, but it did not block "Antivirus Soft" from self installing on my system. Does anyone have advice of a better "real" antivirus program to use?

Anonymous said...

Nothing is working. I am so frustrated and I have no idea what to do. I cannot start my computer in safe mode. Even renaming the file to be able to do it, it still won't let me run it. Same with HijackThis. I renamed the file. Nothing. Won't let me open it. I don't know how to find it in my program files. I want to scream.

Anonymous said...

This is not a removal solution but a short term solution to disable this virus, maybe... if the virus program is running...go to the windows task management screen (look under applications) and you will see the program by its name listed (antivsoft). If you right click it, the menu that pops up will give you several options. I think it is the last one that says "go to the process". Click that and it takes you to the name of the program (just a bunch of letters)... Then right click that program and select end process... this seems to disable the program.... it quit giving me those pop-ups and it allows me to do other stuff that could not be done before... Next I am going to try to run malware and other programs now that it is disabled....to see if they work. I am crossing my fingers.

Anonymous said...

I think that I have finally gotten rid of the Antivirus Soft malware. I scanned my system with malwarebyte's but had no luck with it. However, I had not udpdated it like the Admin kept saying. I was able to stop the process by doing a ctrl+alt+delete right after logging into windows which allowed me to activate task manager before the malware loaded and looked for a process ending with sftav as mentioned in a previous post. The process was named "wacqsftav.exe". After ending the process I ran HiJackThis and searched for all occurances of sftav and fixed them. I rebooted without any issues. I am running an updated malwarebyte's scan now to hopefully remove any leftover pieces. Good luck!

Anonymous said...

Thank you so much. My son's computer went insane witht his virus. I forgot to change the name- actually could not figure out how to. I ran spybot, then malware and all is ok. It was Facebook he was on.

Anonymous said...

I have Windows XP and can't complete the download process for SpyBot. I even tried putting it on a flash drive and running it from there. It's also not letting me look for the folders everyone is listing above. Is the virus being changed to adapt to these fixes? Do I have to take my computer to a shop now?

Anonymous said...

Worked like a charm! Thanks

Ekin said...

Life Saver, My company laptop got infected at the clients office, and I had no choice but clean it myself.

Malwarebytes didnt recognize the problem so I used the spybot and cleaned it ok.

@Admin

I used rkill.com to stop the pop-ups and it worked fine, then run the spyware program. if you wish you can add it as one of the alternatives as well. I got it from this link:

http://download.bleepingcomputer.com/grinler/rkill.com

Thanks again for the help,

Anonymous said...

Thank you so much, a full scan with Malwarebytes' did the trick!

Anonymous said...

Spybot Search & Destroy couldn't detect the virus, however, Malwarebytes did and removed it.

Thank you for the removal instructions and thank you to the makers of Malwarebytes for producing a superior product!

Anonymous said...

Got infected with this from myspace today, downloaded malwarebytes, rebooted to safe mode with networking, installed malwarebytes ran the update and then did a full scan it detected 1 reg key and 2 files. removed them and rebooted to normal mode, all gone

Thanks!

Anonymous said...

HELP PLEASE!!!
Followed this guide, booted into safe mode and updated and performed a full scan, found two problems and fixed them. After this I can't boot into normal mode at all, I mean the windows Vista tune plays, but after that startup window disappears a black window follows and the computer is just waiting, not showing the desktop only the mouse.

Anonymous said...

i tried uncheckin the proxy box.. and it wont let me.. it says the file is infected.. and i cant use internet on that comp. how do i download the program to remove it then?

Admin said...

What program did you use? Probably it did something wrong and now you can't start your PC in Normal Mode. Sometimes such things happens. Try to repair the system if you have Vista DVD. Detailed tutorial how to do this:

http://www.bleepingcomputer.com/tutorials/tutorial148.html

Also you may reboot your PC in Safe Mode again and restore the system to an earlier date. NOTE: select restore point which was made before your PC got infected. Good luck!

Admin said...

"i tried uncheckin the proxy box.. and it wont let me.. it says the file is infected.. and i cant use internet on that comp. how do i download the program to remove it then?"

Are you in "Safe Mode with Networking"? You have to complete the first step before going to the second.

Leeness said...

Ugh. This virus is driving me up the wall. I've done all this, and run Malwarebytes, and it detects everything, and removes it, but when I reboot my computer, the virus is still there. What the heck is going on? Also, Hijack This doesn't find anything with the sysguard or sftav on the end.

Please help. :(

Leeness said...

I also just ran the SafeBootKey and I still can't get into Safe Mode. :( I mean... I don't need to use IE (I have Firefox) and I'm able to download stuff. But nothing is actually DOING anything. It all says it's doing something, and then doesn't.

Anonymous said...

wow thanks alot its been annoying hte hell outa me for the past few days

Anonymous said...

i have this problem also i downloaded the software did everything in safe mode, it said it was removed went back into normal mode and its still here. but in the beginning when saving i cant rename the file, so i renamed it after saving. could this be a problem? HELP PLEASE.

Anonymous said...

I did everything u said and when i went in normal mode, viris came back, wont let me open anything

Anonymous said...

thank you so much for the help, i really need it

Admin said...

Leeness, try to restore you computer to a previous date when your PC was not infected. Let's say a week ago. Read here how to do that:

http://support.microsoft.com/kb/306084

Anonymous said...

Ok. I ran Spybot in safe mode. When I ran it in "normal" mode, it shut down and the malware was STILL there. I tried this. Like others said, do ctrl-alt-del to get to task manager BEFORE the malware has a chance to pop up. Delete anything that ends in sftav. I did that, but that little icon was still there in the bottom. I then deleted something with QX in the process. That seems to have done it. I am now re-running Spybot. I will keep you all posted. This is insane, and I'd like to wring the pencil neck of whoever is responsible for this.

Anonymous said...

I tried to restore to earkier date through start,programs,system tools and restore. Window appears with Application cannot be executed. The file rstrui.exe is infected. Do you want to activate your antivirus software now? What to do, I can't even open winlogo.com and inexplore.exe without same message.

Admin said...

Did you read the removal instructions? You can't restore you PC when there's an active Antivirus Soft process. That's why you get that error message. You have to end its processes first. Please read read removal instructions carefully. Good luck!

Anonymous said...

I found the file and renamed it to random letters so now the program doesn't load up. I scanned my computer and everything, and it says its clean
so does that mean my computers safe now? even tho the files still there just renamed to something different

Anonymous said...

do i need to be in safe mode, to do the system restore? ive tried doing it in normal mode, but it wont let me.

Admin said...

Q: "I found the file and renamed it to random letters so now the program doesn't load up. I scanned my computer and everything, and it says its clean
so does that mean my computers safe now? even tho the files still there just renamed to something different"

A: It's not safe yet. Download and install SUPERAntispyware. IMPORTANT! update it be before scanning.

Admin said...

Q: "do i need to be in safe mode, to do the system restore? ive tried doing it in normal mode, but it wont let me."

A: Yes, try to restore it in safe mode with networking. But it would be a lot better if you run a system scan with an anti-malware program while in safe mode with networking.

Anonymous said...

YES! this is a fantastically easy method. knew there was something wrong, put in my antivirus disk to install the program, and it wouldn't let me!!! So deleting those files really helped...question: why would you do the whole reboot if you can just dl the program and delete the infected files?

Anonymous said...

rkill really helped me get a grip of my computer for awhile and install the anti malware programs I needed to solve this problem. I got rid of over 100 infected files but once i rebooted in regular mode the stupid antivirus soft was and is still here on my computer.

malwarebytes won't let me update, neither will any of those other anti malware programs someone else suggested to me and if i go in safe mode i can't go online to look for help

this virus is a real pain and i hope i wont end up having to pay someone to get rid of it.

Anonymous said...

couldn't go into the safe mode, and couldn't run the SafeBootKeyRepair thingy cause antivirus-soft (SO fucking annoying) kept blocking it.
so I followed the instructions for normal mode (with HijackThis + spybot) and spybot found something called "Fraud.Sysguard" which i'm hoping is the right one >_>
anyways, THANK YOU SO MUCH!!1!

Anonymous said...

it doesnt give me a chance to rename the file until after it is downloaded but i cant open it once i download. i cant get into the registry to find it on here at all. please help

Anonymous said...

Running "Spybot" in safe mode and normal mode didn't remove it for me, didn't detect it. Fyi, I followed the steps again using "MalwareBytes", this time it was detected and removed.

Admin said...

Q: "why would you do the whole reboot if you can just dl the program and delete the infected files?"

A: Some people can't download removal tools in Normal Mode because the rogue program blocks it.

rogueamp said...

You should embed my videos more often ;)

Admin said...

Thank you for the video rogueamp. I will ;)

Anonymous said...

Thank you SO MUCH admin, and everyone else's posts! I deleted one of the execute files as said earlier (if you want to see the post just search on this page 'aaabbb'), which seemed to have stopped the irritating popups.
I used Spyware Doctor which detected a few, but after doing so rebooted in 'Safe' mode and used my previously downloaded 'Malwarebytes' to detect and remove the rest. Malwarebytes showed that this virus had in fact added 3 new trojans to the list rather quickly.
Shame, althought it initially blocked a few, these trojans appeared to have walked right by my Norton 360... (N). Restarted now in Normal mode, things seem to be ok.

@Admin, Is there anything else I should do? Should i still run a system restore??
Still not even sure where I received this virus from either..

Anonymous said...

Will norton antivirus get rid of it if I renewed my subscription after I got the virus??

Admin said...

Q: "Will norton antivirus get rid of it if I renewed my subscription after I got the virus??"

A: Probably not. Norton isn't the best program to remove such viruses.

Admin said...

Q: "@Admin, Is there anything else I should do? Should i still run a system restore??
Still not even sure where I received this virus from either.."

A: No need to do a system restore if things seem to be ok.

Ryan L said...

@Admin.

Hello, and thank you for all the wonderful tips for removing this virus. Mine in particular was especially tricky. I used a combination of every tactic you suggested to finally remove it. From HiJack This, to file-shredding the folder it placed in my Local\Apps folder, to an anti-malware. When I started the computer it loaded perfectly, without the virus. However, somewhere in the process, my file extensions and program recognitions have ceased to work. As in, any icon on the desktop I click, it asks me what program I would like to use to open the file. As of now, I'm accessing all programs from the Program Files(x86) folder. Almost notable is that when selecting the proper file extension, theres a checkmark box which indicates keep this selection permanent, however, it is grayed out and therefore unclickable. I'm not so bad with a computer, so thankfully Im able to resume my work as normal, but I know something is wrong. I hope you may know what caused this or an easy fix, and thank you for the assistance in removing the virus.

Anonymous said...

BY FAR THE MOST INFORMATIVE (!!!) removal advice for this pesky virus.

thank you so much :]

Anonymous said...

I would like to say this. Many people had to waste time and be subjected to the stress of this invasive soft wear. It was sent to my PC via MySpace. Java opened up and MySpace transmitted it.

Anonymous said...

I'm having issue with my laptop and I can't get rid of Antivirus soft off my laptop.. I tried Spybot and Malwarebytes and it didn't do nothing for me. For as hijackthis I don't know what to delete or what I'm looking for. And I tried to reboot my computer and I still have this crap on my computer... It's so frustrating cause I got it from myspace and facebook too. And I don't know what's going on what to do about this issue. Could someone please explain to me what I should do. Cause I'm in safemode but it's only so much you can do..

Aidan G. said...

I already have malwarebytes anti male and spybot search and destroy. I did a full scan with anti-malware and deleted all the malware files. However, this malware is still on my computer, which has 3 separte accounts.
What do I do next?

Anonymous said...

i got the antivirus soft and now it wont even let me log into windows.. it keeps saying i need to register my windows... wtf? wont let me even log in with safe mode. i also tried using my reboot disk and it still will not let me go anywhere...

Steve said...

As soon as your computer starts hit ctrl+alt+delete and get into your proccesses! If you do it at the earliest possible moment you should be able to beat startup on antivirus soft. You can then find the virus and turn it off, giving you complete freedom to download, install and run whatever to get rid of it.

Anonymous said...

Thanks for everything!

The virus hit me Feb 16, 2010.

I tried using MalwareBytes but it did not work. However, SuperAntiSpyware worked just fine!

Thanks a million!

Also, if you want to be able to use your computer for people that can't... you can download an rkill file that basically closes all the programs including antivirus soft so you can open spyware freely and detect the virus. I don't know, it worked for me... you can get the file here...

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-soft

Anonymous said...

Installer won't run in Safe Mode. Also tried in Normal Mode but looks like the stupid spyware is preventing the installer from running there too. Yes, I did rename the install file.

Anonymous said...

Antivirus Soft is a damned shit difficult to remove. I couldn't install Neither MalwareBytes nor Spybot Search&Destroy , even on safe mode with network , nothing seemed to work. At last I restored WXP to a previous state on safe mode, then reinstalled successfuly Spybot Search and Destroy,, updated it, performed a full scan and eventually everything was fine again.

Anonymous said...

ive downloaded superantispyware but it says that the system administrator has set policies to prevent this installation. im pretty sure that ive done everything. updated malware did not work and spybot did not work.any advice?

Anonymous said...

I didnt find this site until AFTER I cleaned up my computer manually. I couldnt get to the internet and didnt know what it had done so I just scoured the registry myself. Good thing I was using WinXP because if it had been Vista, I'm just not registry savvy on Vista yet. Anyway, this site tells it exactly and helps you solve it exactly. I THINK I picked it up from WEBSHOTS downloading some desktop backgrounds. Wont go there anymore either!
Thanks for posting this, I know it will help many.

Anonymous said...

I had the "Antivirus Soft" virus and seemed to (I've been running now for ten minutes and it seems to be fine again) have taken care of the program this way:

Simply do a "system restore" after having booted up in "Safe Mode" (had to use Safe Mode becuase the "Antivirus Soft" wouldn't allow me to access my "System Restore" in regular mode.

Hopefully the virus doesn't come back. I post this message because doing a "System Restore" is much easier and faster than downloading and trying to use "rkill" ("rkill" didn't work for me).

Hope this helps.

Anonymous said...

I'd like to add to this, that if you bring up task manager as soon as you get into windows (and before antivirus soft loads) then you can kill antivirus soft's exe and that will allow you to download and run other programs. Don't know if it lets IE run because I don't use it.
The exe is called sdnusftav.exe

Anonymous said...

Thanks for the tip Steve. Would you happen to know the name of the processes that I need to stop? TIA.

Admin said...

Q: "Would you happen to know the name of the processes that I need to stop?"

A: Look for [random]sftav.exe. For example: roptsftav.exe

Anonymous said...

Thank You so much for your help. I had Norton Antivirus 360, which I paid over $60 for. On a full scan with latest update turned up nothing. The free Malware bytes program which you recommended is in the process of running and has already found 4 objects infected. You guys are lifesavers.

Anonymous said...

I am throwing in my 2 cents.

My laptop was infected by this anonying virus. It keeps popping out alarms and asking me to pay. TaskManager does not start. Control panel does not let me to go to Add/Remove program tab. It does not start with safe mode. Every time the system is booted in normal mode, the dame "antivirus soft" starts up and displays a token like a green check mark in my winodws toolbar. I was very scared.

Here is what I did to successfully remove the virus:

1. I used my XP CD that came from Dell (fortunatelly I found it!) and boot my laptop from CD.
2. I used "R" to try to recover OS but it did not allow me to boot safe mode either
3. I had to reinstall Windows XP
4. After 40 minutes, the XP was installed.
5. I finally was able to boot XP in safe mode with networking
6. After XP was up, I used start-menu/run and type msconfig
7. In the msconfig window, found startup tab and carefully go through the startup list. Finally I spotted the criminal. The name was iftkjs (looks like a random name). I unchecked it. Following its location column, I also found the program. It was under "C:\Documents and Settings\\Local Settings\Application Data\iftkjs". I deleted this entire directory.
8. I booted my machine in normal mode. This time the virus did not auto started. I knew that I got it right.
9. In the normal mode, I cleared up the registry as described in this article.

Now my computer works fine. But 4 hours of precious time was spent on this thing. Whoever invented this virus should be put into jail!!

jwdai

Anonymous said...

i ran malware bytes and it removed all the viruses but i was in safe mode and then i logged in normally and the virus wasnt popping up anymore but i scanned again to be safe and it found two more viruses which i deleted i was just wondering if i need to do more or if my computer is safe now.

Anonymous said...

Seems like the infected pop-up process is single threaded. So, I tried to launch (for example) notepad.exe and then when the "infected" pop-up comes up, I leave the pop-up running in the background -- which ties up the Antivirus Soft process. I then launched task manager, found the [random]sftav.exe process and ended it. I then ran a full-scan with Malwarebytes which found the trojans and removed them. So far so good.... just another method to try....

Anonymous said...

My thank you to all. This site has been helpful to understand what damage the file was doing (just annoying) and multiple ways to help get around it.

Anonymous said...

Hi, I just now got this infection (Feb. 19). I restarted my computer in "Safe Mode with Networking".........then just did a system restore. It worked PERFECTLY!! Nice and quick!! So, for now I'm good, but I just hope this nasty thing stays away!!

Anonymous said...

I got the Antivirus Soft trojan virus last night. You would be surprised to know how that happened. I am an engineer and I was searching in Google some Acme lead screws that I needed for my design project. The website where I got infected was www.business.com. It seems that this virus is wide spread if one can get it on such place as business.com doing some research work.
To get rid of the virus I followed insructions that were provided on the BleepingComputer.com. After the first attempt, I rebooted my computer from safe to normal mode, but the vires was still working its job as before. So, I tried again the same proces. The Malwarebytes did not find any infected object this time. I went again back to normal mode with intention to try ctrl-alt-del and to find the malicious files in the task manager and end those processes. However, this was not necessary since the virus did not display any of its fake warnings. I was now able to connect to Internet and to update the Malwarebytes. Right now I am performing the full scan. After more than an hour and about half of all files scaned, the Malwarebytes found 1 infected object, which might be the Antyvirus Soft itself that was not detected in the first scan.
For now it looks that vires is gone. I will keep you updated. Thank you all for your inputs. All of us together can win this fight against a few bad guys.

Anonymous said...

got the infection today... reformated my computer and reinstalled windows XP. I copied my data files on a flash USB. Does anybody know if my data is OK (not infected)?

Anonymous said...

HELP! Tapping f8 does nothing for me. I saved safe boot repair to usb from another computer and tried to run it on mine but got blocked. I tried ctrl alt del and managed to get task manager up but found no process with hpiss. I'm running XP What do I do?????

Anonymous said...

A+++ What a great thread thanks so much for the information this took just about 2 hours to clean at 1AM when i was just getting my gaming on! :(
But i was able to fix it hyjack this took care of it when spybot failed to do it either way im glad its off and i'll be protecting myself better from now on i believe i picked it up from a site called TVDUCK i was watching some Archer episodes and all of a sudden this started up.

Anonymous said...

ok pressed f8 and got a black screen that says please select the operating system to start. Microsoft Windows XP Home Edition is the only selection and is highlighted use up and down arrows ...blurb and then down the bottom to press f8 for troubleshooting and advanced start up options for windows but when I press f8 nothing happens if I press enter nothing happens

Anonymous said...

wow, i worked for hours trying to get rid of this problem. Once I found the info here, I had the problem solved in 30 minutes. I picked up the virus 2/20/10 from Facebook (I think). Major pain but this blog helped solve it. Thanks so much for the great info.

Jim said...

My PC was infected on Feb 19. I restart Windows XP in normal mode, open Task manager before AV Soft, stop it when the malware was loading, then Windows seem to work ok. I used Malwarebytes to do a quick scan and remove the malware (takes about 15 minutes).the log shows:
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\Anti-Virus Professional (Rogue.AntiVirusProfessional) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Compaq_Owner\My Documents\downloads\avgprosetup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Anti-Virus Professional\nutilities.dll (Rogue.AntiVirusProfessional) -> Quarantined and deleted successfully.
I reboot my PC and it's working ok.

Thanks for all the help.

Anonymous said...

You can remove this antivirus soft by scanning with malwarebytes in less than 5 minutes

Anonymous said...

I was infected through FB last night, and I've tried many things, MalWare, Norton, the works. The steps I used though were slightly different than the steps here. MalWare fails to update when I go to update it. Any advice? I don't want to resort to a Full System Restore, because I have a ton of stuff to back-up. If I do, are those files safe?

Lucas said...

Thanks a lot for posting this, I tried everything and only HijackThis worked out of all the software. THANK YOU!!!!!!!!!!!!!

Admin said...

You can download MalwareBytes updates manually from here:

http://malwarebytes.gt500.org/mbam-rules.exe

System restore will affect only Windows system files but not your documents.

Anonymous said...

Many thanks! This solution worked. Everything back to normal.

Anonymous said...

I have tried to restore my system to as far back as I can and it still isn't working for me... the virus isn't going away and I am unable to do anything on my own computer... any suggestions?

Anonymous said...

I also used task manager right at boot up with CTRL+ SHIFT + ESC in order to open task manager quick enough to start end unknown tasks starting. Gave me the chance to operate w/out virus running..
Thank goodness I'm running Linux on this comp while I fix the other.
SUPERAntispyware seems to work.

Anonymous said...

System restore did the trick. Very useful...tyvm!

Anonymous said...

I got the virus last weekend, got it deleted. But my computer wont open internet pages. Outlook email is fine and so is AOL instant messenger. Just no connection to web pages. It tells me they cant be displayed. Modem was confirmed fine. Any suggetions?

Anonymous said...

Got this dumb thing too, think its removed. But cant get to any internet pages. Just outlool email and aol instant messenger. Any suggestions?

Anonymous said...

Got infected by this on 02/26/2010...

Thank you for this tip

Best regards.

Anonymous said...

Followed your instructions to go into safe mode, disable proxy server for LAN, hunted down new .exe files in the spot you recommended, then search & destroy registry for avsoft and 127.0.0.1:5555, it seems to work.

Thanks for your help.

Anonymous said...

my computer was infected thru myspace about a week ago. at first it was pop ups and fake virus scans but now it won't even boot. normal or safe mode, neither works. says the drive isn't recognized. i'm gonna try to download malware on my second computer and transfer it to a flash drive to use on bad computer. will this work? also what do you mean by renaming the file? thanks for any help

Michelle said...

I did a system restore and that seemed to fix the Antivirus Soft things, but now I can't use my Verizon USB broadband connection. Does the restore remove those files? (I was able to use the internet connection on the day I restored my computer back to.)

Anonymous said...

Worked brilliantly! I was so nervous about it not working, but this actually worked. This has saved me a lot of time and trouble over reformatting my computer. I won't be able to describe how happy I am to have saved my piece of junk computer! THANK YOU THANK YOU THANK YOU!

Coincidentally I already had spybot downloaded when I was infected (stupid me feel for the titles of flashupdates when antivirus forced itself in), but popping into safe mode and following these instructions didn't create any problems at all. Thanks again!

Anonymous said...

Got Antivirus Soft last night, can go in to safe mode, but rkill does not run, malwarebytes cannot update, cannot fix internet problem by disabling proxy server, no restore point works, cannot find files and folders in documennts to rename, cannot find .exe file to stop running in task manager.
Tried everything, please help?

Anonymous said...

Tried everything, safe mode, fix interenet, restore, file rename, Hijackthis, nothing works, please help.

Anonymous said...

I got infected last night with Antivirus Soft. I disable all on start up on msconfig, I removed files using HiJackThis. Cannot connect to the internet so I can't update Malwarebytes or any other programme, so I cannot remove the virus. I have tired disabling proxy server but this does not work, can anyone help?

Admin said...

Reboot your PC in Safe Mode with Networking and try to download MalwareBytes again.

Anonymous said...

I got Antivirus Soft. I CAN restart in safe mode with networking but canNOT connect to internet with internet explorer. So I am stuck at that point in the removal instructions. Also,I dont use myspace or facebook, so don't know how I got this.

Anonymous said...

I cannot connect to the internet in safe mode, normal windosw mode or any way at all, I disable proxy serve but it still does not connect.

neodbunny said...

thanks for the help CHEERS

Anonymous said...

I did restore point after trying malbyte, spybot, and ccleaner, which none worked, the system restore did though. THANK GOD I was getting pissed

Anonymous said...

My wife's Vista64 computer got hit with this Antivirus Soft via an infected PDF. Wouldn't let me into safe mode with networking either. Had to run 'sfc /scannow' as administrator in a command prompt window to get safe mode going again. Then networking was somehow disabled. Had to download MalwareBytes on another computer, updated it, then copied the install file and the latest rules.ref file from c:\ProgramData\Malwarebytes onto a USB memory stick. Renamed the install file to iexplore.exe, ran it to install MalwareBytes pgm. Replaced the rules.ref file with the updated file from the other computer. Ran MalwareBytes program and found four entries related to Antivirus Soft. Removed them, then computer seemed to work OK again.

Anonymous said...

For those that have a hard time connecting to the internet in safe mode, even after you disable the proxy server, I had the same trouble and had to continually disable the proxy server. I opened to Internet Explorer windows and in one left the tools dialogue box open. I would wait for the error screen to pop up and then quickly disable proxy server and click on the website that I needed. I was like a madwoman trying to beat that software, but after about 10 times I got the timing down and was able to download the files I needed.

Now my internet explorer doesn't work but I was able to download Opera just don't feel like trying to figure out the Internet Explorer yet.

Anonymous said...

Ok, let me first say how thankful I am to have found this web site!

I got this on Saturday 2/27/10 from I believe YouTube. I was not on Facebook or MySpace.

Anyways here is how I removed it: (I am on Windows XP)

I did the control-alt-delete move right at start up in normal mode (I could not open up in Safe Mode). The {blahblah}sftav.exe files were in the processes (there were 2 little buggers!. I ended those processes.

Then I went to Start>Search>For Files or Folders>all files. I typed in sftav, and changed search place to My Computer. It found a package (a downloaded executable) with some weird name in my Documents and Settings folder. I deleted it. Then I emptied the recycle bin.

DONE!

Now I am going to download Malwarebytes to clean up any virus scraps laying around.

Anonymous said...

Thank you! Thank you! Thank you!!!!

Anonymous said...

I got this stupid virus yesterday. I use Vista and have Symantec for virus proteection. When I restarted my computer it asked me if I wanted to allow AV to start I said no and everything was ok except I could not connect to the internet. When I allowed it to start everything was "infected" and I couldnt connect to anything. I went to the folder that had the AV and deleted it and when I restarted I did not get a prompt to let AV run and everything works fine, except I cannot connect to the internet with internet explorer. I have other programs such as skype that use the internet and they work so i am connected but internet explorer will not go to any websites, it talks about a proxy issue. Please help

Anonymous said...

@MArch 1, 2010: Avsoft also changes your Internet Explorer settings to force you to use a proxy. To fix this, open Internet Explorer and go to Tools -> Internet Options -> Connections -> LAN Settings and UNcheck the box for "Use a proxy server" and the one below it for "Bypass proxy...". Then you should be good to go.

Anonymous said...

Oh wow...It seems all of us were infected around the same time. Did anyone eles's bring up porn links?

Anonymous said...

ok--just read through these posts and getting ready to try and restore system to a few days ago.I got up today to this on my computer--this is one powerful virus and of note the first I've ever had! The only sites I was on were automotive repair--trying to figure out how to fix my bleeping car! I think it might have occured when opening a repair video and it said my flash player needed an update, but not certain. Hoping this will be an easier fix than car--I am neither mechanically or technologically inclined. Thanks all in advance.

Anonymous said...

THANK YOU THANK YOU THANK YOOOOOOOOOOOOOOOOUUUU!YOU ARE A SAINT!!worked perfectly with the hijackthis tool!!

Anonymous said...

From my heart

MANY THANKS, yes i am done using
"Alternative Antivirus Soft removal instructions using HijackThis (in Normal mode)"

Anonymous said...

this is a darn shame. Shame. Shame. Look how many of us have gotten this junk. How many of us are paying for "protection" and STILL got it.
Tell eveyone you know so people will stop buying it from the hateful creators. Unplug the computer when you see this pop up, you dont have time to do much else. Unplug, and restart in safe mode and get busy... Thanks for this site!

Anonymous said...

Thank you a million times and more! I don't know how I got the virus but it happened about 2 hours ago tonight and I was in shambles not knowing what to do. I found your site and followed all your instructions exactly. I was not able to download spybot in safemode so i threw caution to the wind and restored my settings to a few days prior to this event. So far everything works and looks good, but I will be taking my netbook in to get a better virus protecter software installed just in case. My question is, by restoring to my default settings does this truelly fix my PC by forever getting rif of the virus and am I safe to go to secure sites where I have to submit credit card numbers and personal data etc.? Thank you again, its good to know there are good people willing to help.

Anonymous said...

Ok I spent 20 hrs playing with this because I just didn't want to give up and do a restore. I'm just stubborn I guess. I got mine while downloading a PDF owners manual for a cell phone. I had all the problems except I have several puter's on a network together so I could work it out. I have used avira but it was disabled to the point that I had to reinstall it. I used spybot and another pay-to-clean, but once I had the name i didn't need to pay. i did a search and deleted it. I still only removed 4 or 5 files that way. My power software is advanced system optimizer. In safe mode it took about 20 hrs and found 42 files that the others never saw. But then I still had the nag files. So I did a ganeric search for "*sftav" and came up with two similar files to those that others have mentioned, that were a "fetch" and an exe that kept pumping out the nags. I got Paladin a week ago and it is similar and it did place porn links on my desktop but this didn't. Since the file names and locations seem to change they must be morphing it every day or so. Point taken that we need all the power we can get. To heck with a slower load each start up or download. The freeware did some of the job but my optimizer did most of it. It deep cleans and then I used it's registry cleaner to take care of that. I only had to go in and manually remove "AVsoft" or whatever it was called from the registry. I'm grateful to all who helped and I feel great that some of us beat this thing. If no one has mentioned it I'd suggest we shred our trash files. Also it does look like Malware now charges.

Anonymous said...

Yes! It took several tries, and my system froze on SpyDoctor, which I could then not reopen. But I tried Malwarebytes, which seems to have done the trick (fingers crossed). Thank you so much!

Anonymous said...

My son got it off myspace, he clicked on a friends profile and then our puter was hit immediately. Spread the word to everyone to go and put antimalware on on their puters before such thing can happen. Downloads are free at download.com

Anonymous said...

What worked fast for me:
With Vista 64 Home Premium (SP1), I rebooted normally and immediately to get Task Manager.

Interestingly, without doing anything else (only Task Manager on screen), the AntivirusSoft didn't start sending out alerts, so I couldn't tell which process/files to delete, but I was able to open FireFox 3.5.8 (IE wouldn't connect) to download/install MalwareByte (SpyBots wouldn't install). I got an error upon installing Malware, but it continued and installed successfully anyway. I did the quick scan and it found the offending program and deleted it.

Everything seemed back to normal, but I had some continuing problems with IE getting access to web pages, but was able to "reconnect" using IE's Tools/Options/Connections menu.

I've rebooted several times and it seems to be all gone.

Thank you for all your posts and good luck deleting this truly evil virus.

Anonymous said...

thank you soo much! it actually worked :D
I used anti-malware which I think it is the best one to use.

thanks again!

Anonymous said...

What worked for me Downloaded SUPERAntispyware, renamed the installer to winlogon.exe. Thanks so much.

anonymous said...

Hi, I've been trying to download skybot etc in safemode with networking but my computer keeps turning off before the download is complete. Any suggestions?

Anonymous said...

I already had Malwarebytes on my computer, when I openned in safe mode with networking-it lets me run a full scan. Is this ok or do I have to rename it????

«Oldest ‹Older   1 – 200 of 327   Newer› Newest»