Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Saturday, January 30, 2010

How to remove "Antivirus Soft" fake security program? (Uninstall guide)

Tell your friends:
Antivirus Soft is a fake anti-virus program that is usually distributed through the use of fake online anti-malware scanners and various other bogus websites. Actually it's a Trojan virus, but it shows up as anti-virus software and even pretends to be a legitimate one. Antivirus Soft is a scareware or badware from the same family as Antivirus Live. Once installed, it simulates a system scan and gives a list of false computer threats or infections just to make you think that your computer is seriously compromised. The scan results are absolutely false, so don't worry. The only real infection is Anti-virus Soft itself. It will constantly ask you to purchase the program in order to remove the infections and to protect yourself.



Antivirus Soft video: (http://www.youtube.com/watch?v=LYHXOkRlOdM)


Screenshot of newsoftspot.com


This virus doesn't delete any files; your data should be safe. The main goal of this bogus software is to trick you into purchasing it, so please don't do that. If you already did, then contact your credit card company immediately and dispute the charges. Then removal Antivirus Soft from your computer as soon as possible and don't make any online payments while you’re infected. Read the removal guide below.

Antivirus Soft Demo virus is a very annoying scam,  it will display fake security alerts and error messages stating that particular software or web page is infected like every one or two minutes. The fake message reads:

"Application cannot be executed. The file [program].exe is infected.
Do you want to activate your antivirus software now." 


The biggest problem is that AntivirusSof won't let you to download or install legitimate anti-malware software. You can try to remove it manually, but I think it will block Task Manager and other useful Windows tools to stop you. Instead try to restore your system to a previous day when your PC wasn't infected or read the removal guide below.


Antivirus Soft removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
If you can't reboot your PC in Safe Mode with Networking, download SafeBootKeyRepair and run it. Follow the prompts. Then reboot your PC in Safe Mode with Networking. (Before saving SafeBootKeyRepair.exe onto your computer, please rename it to winlogon.com or iexplore.com)

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.


Alternative Antivirus Soft removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for similar entries in the scan results:
O4 – HKLM\..\Run: [mxdeorsw] C:\Documents and Settings\User\Local Settings\Application Data\rmqwne\lkwcsysguard.exe
O4 – HKCU\..\Run: [mxdeorsw] C:\Documents and Settings\User\Local Settings\Application Data\rmqwne\lkwcsysguard.exe
O4 – HKCU\..\Run: [wdpayrmq] C:\Users\Owner\AppData\Local\rtpoma\rewqsftav.exe
O4 – HKCU\..\Run: [kgtrlpor] C:\Users\Owner\AppData\Local\mfkrtl\oprgsftav.exe
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555


The process name will be different in your case. But it has the same structure: [RANDOM]sysguard.exe or [RANDOM]sftav.exe 

Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.


Antivirus Soft associated files and registry values:

In Windows XP:
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\[random]sysguard.exe
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\[random].exe
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\[random]sftav.exe
In Windows Vista & 7:
  • C:\Users\[Username]\AppData\Local\[random]\[random]sysguard.exe
  • C:\Users\[Username]\AppData\Local\[random]\[random]sftav.exe
By default "Appdata" folder is hidden. To unhide this folder (and others), open the Folder Options in the Vista Control Panel, and on the “View” tab, change the option to “show hidden files and folders”, and click ok.

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:5555"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
  • HKEY_CURRENT_USER\Software\avsoft

Share this information with other people: 

327 comments:

«Oldest   ‹Older   201 – 327 of 327   Newer›   Newest»
Anonymous said...

THANK YOU after 4 hours of searching im free from that shiet!!

PEOPLE HOW TO DO :
start computer in secure mode with network
then start internet and activate proxy at the "tools" tab then you download malware and make a full scan, then after 15 min the scan is over and u can delete the antivirus soft, Good Luck,

JustAskNicole said...

I was able to get rid of this monster by doing a system restore to a few days before I got the virus on my computer. I'm so glad that worked! Not quite sure how I got it, but just glad it's now gone. Whoever created Antivirus Soft has to be the devil! That thing is horrible! Thanks for posting this valuable information!

Anonymous said...

I just figured this out after screwing around with a combination of things from a combination of websites:

1. Load "Spyware Doctor" and Malwarebytes onto your computer while in safe mode w/networking. Run the installer's but you can't update them while in safe mode because you can't connect online.

2. Spyware doctor blocks the viral application in normal mode.

3. You can now freely update Malwarebytes in normal mode and use your computer without irritation.

Bam! (I think Spyware doctor got rid of the application itself, but Malwarebytes found like 18 other infected objects on my computer)

Admin said...

That's ok. You don't have to rename it. Cheers!

Anonymous said...

I would like to add as a helpful hint to allow you to use other programs while infected with this stupid thing. Right after you reboot your computer, and your background shows up, immediately press control+alt+delete to bring up task manager--this is the only way I know of to use task manager during this virus. This will allow you to go into the processes and delete some of the processes. You then can download antimalware and run it. As for task manager, I went into the systems folder and made a copy of the task manager to my desktop so I can just click on it as soon as I see my background rather than control+alt+delete.

Anonymous said...

...having tried everything, using a system restore point proved to be a quick and easy fix.

...found file miirsftav.exe, created 03/05/2010 12:20 am. Viewing the web browser history showed that the wife was on Myspace at that same time.

Anonymous said...

I think I'm fine now, but this has been a nightmare.My niece picked up the virus onto my computer from Facebook. I was able to run in safe only mode with networking and restore to 48 hours earlier. I found the 'xxxxsftav.exe' file and deleted it. That unlocked everything, but I would freeze up and get blue screens and wierd noises from the computer when running any of the following(Malwarebytes, Google Toolbar, Roxio (needed for backups)). I was able to download "OPERA" so I had a clean browser. Then downloaded and ran "HIJACK". Got back about 25 registry keys that were suspect. Used HIJACK to fix all of them, but 9 remained unfixed. I used the log, and ran "regedit" and manually deleted the remaining 9 suspect registry keys. I then uninstalled and reinstalled Malwarebytes, Roxio, Google Toolbar, AVG, etc. Then ran Malwarebytes and AVG to clean any remaining items. By far....the most invasive and insidious virus/hijacking I ever experienced. This is horrendous and has to stop now!!!!

Anonymous said...

Thank you very much for the 1/30/10 post. I was infected a couple of hours ago. I ran the HijackThis app...problem solved.
Praise God for you sir!

Anonymous said...

I find it appalling that Norton360 could not detect this... I wish I would have found this site to hep me remove this vile malware but I did try similar sites with no luck. But I did have Dell support help me, which ended up fixing the problem. They used Malwarebytes and another program having booted in safe mode-networking, and were able to remove it at a cost of $130.00 for a single episode. (I paid $200 for four)
There is so much talk on these sites as to HOW to remove this maleware, which is good. But why not put some effort in finding these pricks and ripping their heads off. Where are those sites...

Anonymous said...

Malwarebytes removed the Antivirus Soft, but had the system going into "preparing to enter standby" and locking up. After 2 days of this, I restored to 1 week earlier and this seems to bed working fine. Thanks to everyone at this site. This is the only place I've found useful solutions to this problem.

Anonymous said...

Thank you for all the comments. I finally was able to open my programs. I used the instruction noted earlier : search for files/folders with "Sftav" and deleted them. It works.

Anonymous said...

Thank you so much for the great help!

Anonymous said...

Can anyone tell me why i cant use my up and down arrows after I press F8 to restart in safe mode??

Anonymous said...

If you have Windows 7, easiest way to get rid of Rogue Soft Anti Virus is to insert Windows 7 CD, shut down PC & restart in boot mode. (Will ask you to click on any key during start up) Click on repair program. Should solve the problem.

Anonymous said...

Thank you, Thank you!!! The iexplore.exe link worked like a charm for removing the FAKE "Antivirus Soft" virus...may they rot in hell for eternity!! :) Once again, thank you, you guys are life savers!!

Anonymous said...

FOlks I got infected Wednesday morning March 10. I downloaded the MalwareBytes antimalware - second choice of the three downloads listed above - on a flash drive. Was able to access that, download it to my hard drive and run it. It found the ONE infected file out of 83,000 and isolated and deleted the ANTIVIRUS SOFT just like that. This is a fantastic utility. Thank you for providing it...my computer was cleaned and fixed in 10 minutes. It was running noticeably faster afterwards...wonder if I had this thing buried somehow for a while before it took over my computer? I am hardly a technician but I fixed my own computer in 30 minutes tops counting google search for a utility, downloading it and then cleaning my laptop.

Anonymous said...

Its from MySpace all right. My wife had not been there for months..then this afternoon checked on her neices page, and there come the scary warnings about "infections" Wow..how many thousands of people paid these folks? Any clue where Antivirus Soft is based out of? Sputbot S&D seemed to take care of it..THANKS SO VERY MUCH!

Anonymous said...

try this for XP: restart in any safe mode, do a search for any file with the letters sftav in the name and delete it, then restart normally
My problem was in C:/WINDOWS/Prefetch

Kiz said...

I am so happy this info is available. I got this virus, and I used this to help me rid my computer of it. I get So mad that people try to take advantage,forcing unnecessary fear and frustration. I wish I could punch the virus maker in the stomach. TWICE!

Anonymous said...

I hate to say it, but I think this virus is getting more malicious. I was infected on 3/14/10 around 7:30 PM. It came from Facebook. A window popped up for Antivirus Soft and asked me install the program. When I hit cancel, it popped up a new box and procecced to "scan" my computer. It stated that my computer was infected by BankerFox.A. The Antivirus Soft would not let me exit. Any other applications I tried to use popped up with a box that it was now infected and would not open. I spent 6 hours trying to fix this problem. I restarted the computer in safe mode and did a system restore to 3 days back. The virus was still there in normal mode. I restarted the computer in safe mode with networking and downloaded Norton 360. Norton found the threat and removed it. I restarted the computer in normal mode and ran another scan with Norton which found 3 more viruses. It appears that Antivirus Soft is allowing other viruses to access your system. I removed them and the system seems to be fine. I am going to run malwarebytes tonight to review the system again just to make sure it is fixed.

Carlos said...

Thank you so much for your help, Malwarebytes' really worked!!! I owe you my gratitude. Now I just have one question, how did this virus get into my computer?

Anonymous said...

This virus does appear to be morphing. My wife apparently caught it from facebook. Malwarebytes did not detect it. I tried kaspersky rescue disk and dr web rescue disk. Both hung the pc after several hours of scanning. My new epson artisan networked printer spit out a sheet of paper with "This is fun" written on it. It looked like someone wrote the letters in MS Paint. I now wonder if my Home Server and NAS device may be infected.

Anonymous said...

I use Vista and was infected last night when I was reading an article on encyclopediadramatica.com. Norton, Spybot Search and Destroy, and Malwarebytes didn't detect anything. Using guidance from websites like this, I manually deleted a folder in Users/Me/App Data (hidden), and a few registry keys. Antivirus Soft no longer loads, but Internet Explorer automatically opened and directed me to pornography page. This has only happened once, however, and my system is otherwise behaving normally.

Anonymous said...

So I also got affected by this virus/Trojan and looked into seveal posts. I found my PC good after doing these steps:

(1)used CCleaner to remove a start up process khgestav.exe
you can also use "msconfig" command in start>run>msconfig and reach to startup list program.


(2) used Malwarebyte and run Quick scan which lasted for 5 mins to find 3 Trojans and successfully removed them.


HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack)

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack)

C:\Documents and Settings\User\Local Settings\Temp\IVyc.exe (Trojan.Downlaoder)

Thats it and thank God my PC is back to normal.:)

Bay said...

Could anybody tell me why do we need to rename the .exe? I just wonder and need to tell my boss why?

Admin said...

Bay, because Antivirus Soft may block removal tools bay their names. That's why you should change it.

Anonymous said...

This fixed worked. I was glad to get rid of the Antivirus Soft. I really didn't like have my browser opened to Porno.org and Viagra.com.

Anonymous said...

One of the PCs here at our office caught this Ransomware from MySpace.

Apparently there are different generations of this malignant software. The only solution for me was to restore to a date prior to infection.

I am now running MalwareBytes, SpyBot and AdAware to see if the unreferenced files can be located and deleted. They weren't located before so I may need to try "Hijack This" and the other suggested solutions.

Anonymous said...

thanks for the info on how to remove this crap, what i found helpful was running safe mode with networking, then restoring the system to an earlier time, which didnt work before while running normal mode.all my files are there :) this site still helped me out because now i now what to just in case.

Anonymous said...

okay this virus is driving me insane!!!!!!!! i can't run safemode. so i tried downloading the safe mood repair key thingy. i opened it. the black window opened but then it closed right away. its probally because the anti virus soft blocked it. what am i supposed to do now?!

Steve said...

Like many others, I could not get an internet connection when I was in safe mode. After trying several times I noticed after I booted up in safe mode, my desktop was on the left & a description of safe mode was on the right half of the screen. In the safe mode description there was mention of a 'system restore' prior to the last update. My system restore date was 3/18 which was 2 days prior to getting the Antivirus soft virus. I did the system restore and it fixed the problem. I am running Windows Vista Home Premium.

Anonymous said...

My GF's computer was infected by the malicious Antivirus Soft this morning - she did a system restore on vista to two days ago and everything worked out fine. Thanks so much for this post!!

BTW- she also paid for the Antivirus Soft scam program. We made sure to call the bank immediately to dispute the fraudulent charges and cancel the card.

Sara said...

I got infected with this sucker on Friday. I was not on Facebook or Myspace but I was temporarily using Internet Explorer and randomly got it from a forum i was visiting. I already own MalwareByte but it was disabling me from running a scan with it. I was able to remove it by using the hijack this and I also found the folder:

C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\

After I renamed the .exe file to something else (by the way my .exe file's name was "eutisftav.exe") I was then able to use MalwareByte to scan and it immediately found it and removed it. All is well now. Thanks!

Anonymous said...

Some quick tips I can add (I just got rid of it today):

1. Take action quickly. The longer this stays in your system the more likely it is to completely insulate itself and totally block your computer.

2. UPDATE MalwareBytes before you run your scan. If you don't, you might not get all of it (especially the part that allows it to come back on a restart).

3. With XP, you have to be hardwired to the Internet to connect to it when in Safe Mode with Networking. If you use a wireless connection you need to plug into your computer's (and the router's) Ethernet ports with a cable.

4. If you're having trouble downloading MalwareBytes and the other tools, go to another computer and download it onto a USB drive (even a small .mp3 player usually works for this). Then just plug the drive into your computer and launch directly from that drive.

5. The fix through MalwareBytes is free. They only ask you to consider buying their full program. MalwareBytes is definitely the best virus remover for this particular virus!

If you're lucky, you'll get it all (including the WinLogIn routine that keeps it coming back after each restart, no matter how much you think you "got rid" of it!). If not, be patient. The solutions ARE here and on similar sites. You can do it!

Anonymous said...

Just fixed this shit. Spybot didn't detect it for me, but MBAM did. Btw, didn't have to rename anything.

Anyways, thanks for guide, much appreciated.

Anonymous said...

Wow that virus sucked. I tried a bunch of stuff. I did the proxy thing and booted in safemode and downloaded malware software which said it got rid of stuff, but when I would go back to normal mode it was still there, so I did the HijackThis program and then after did the malware software (in reg mode for both) and that stupid icon and the popups are finally gone! THANK YOU SOOO MUCH!

Anonymous said...

Thank you! Awesome, easy advice. Why isn't this software illegal, anti virus soft, that is. They are taking money from people, it should be tracked down and shut down.

Anonymous said...

I'm trying to run the Malware program, but the Antivirus soft won't let me. It says its infected. And I've already tried deleting the files from the Hijackthis program. What now???

Anonymous said...

Got this terrible virus today, thank you very much for the help. I'm using XP and had a similar experience with another fake virus remover tool just a week ago which did all the same and annoying things. Best thing that worked for me was restarting and closing the process while I could get taskmgr running, and deleting the files from the docs and settings folder. After that the program was gone and I just had to change the LAN proxy settings in order to get my internet running again so that I could update malwarebyte which took care of the rest. Great and very informative site with lots of help, thanks everybody!

Anonymous said...

Thank you so much!!!!

anabel said...

ahh it worked!!
thank you so much!

Anonymous said...

that virus messed up my PC(XP) alot should i system restore or this method!

Admin said...

First, try system restore. Then follow removal instructions above. Good luck!

Anonymous said...

The rogue has incapacitated my ability to start in safe mode with networking. I try to download the key registry you reccomend, but how do i rename it?

Admin said...

Q: "The rogue has incapacitated my ability to start in safe mode with networking. I try to download the key registry you reccomend, but how do i rename it?"

A: You can download already renamed file (iExplore.com) from here http://bit.ly/9IxMsG

Anonymous said...

No dice. I downloaded the above link and still the virus won't let it run. no idea what to do from here....

Anonymous said...

its worse now.. i shut down to try again and now i can start anything. safe mode or normal.

Dustin said...

Thanks i jest got attcked by it i highjacked it and instaled superanti and mailware bites like my dad sied

Anonymous said...

Thank you SOOO much for this! I followed the instruction using MalwareBytes Anti-malware & the virus is now gone. I nearly almost cried because the virus wouldn't even let me open System Restore. You have no idea how grateful I am, especially since I'm not the best with the technical aspects of computers, yet these steps were easy enough that even I could do it by myself haha. Thanks again!

Anonymous said...

This is one nasty SOB. In XP I was able to get rid of it but explorer would not connect to internet. Outlook exp does and gets email, updates update and download but no surfing. My connection is good as I am on another pc now just fine. I tried deleting the network connector and even that isn't working. I am trying a system restore point and we will see.......4 hours and counting.

Anonymous said...

Hello i dint understand this could you put in a video please it wont let me remove it still.

Anonymous said...

I'm throwing this out there for anyone who had the problems I did since I couldn't restart my computer in any safe mode at all. I couldn't run any virus program, or use IE or use regedit or anything.

What I did was start the computer normally and as soon as the XP Desktop screen popped up I hit the start menu key and quickly clicked "run" and then typed "msconfig" in the box. The "system configuration utility" box comes up and I went to the "start" tab and clicked "disable all" at the bottom. Then, in the "general" tab, I clicked "diagnostic startup" and restarted computer.

Once it's restarting, hit the "start" key quickly for the menu and then click "run" and type in "regedit" quickly. The registry should come up, and then I followed the directions and deleted all the registry keys listed in the post. After I did this, I could run malwarebytes and my avira virus program went off on the other files still left.

So far, I haven't had any more problems.

Anonymous said...

Thanks it worked fine

Anonymous said...

Thanks...
It worked out prefect.

Anonymous said...

just restore ur pc to a week of it then ull be fine and not go to the site u kno u got it from before

Anonymous said...

I got antivirus soft!!!!!!! made my life hell for 2days until i found this glorious website, thank you soooooo much my hero! if i knew who u was i would kiss u lol love you man! love you love you love you love you love you love you love you love you :)

Anonymous said...

Holy hell! That was absolutely ridiculous! I have no idea where I could have picked this virus up in the first place. I had one similar a few weeks ago, but this was absolutely unreal. I couldn't even get Spyware Doctor to work because of it.

The second option appears to be working, though I fear I may have removed a few that I perhaps shouldn't have. Whatever. At least the problem has been resolved.

Thank you!

Anonymous said...

This post was lifesaving for me. Thanks so much.

Anonymous said...

Holy shit, I thought I fucked up my computer for ever. Who ever created this website is a genius. Thank you so much!!! Hopefully antivirus soft is gone forever!!!

Anonymous said...

Hi
Thank you for this usfuel infromations
I believe I did remove smart xp internet security 2010 as now I can open any AV or other programs. (is there any way to check if I still have this virus or I removed it ?? )
The thing is I cannot use the internet I tried to connect in order to update the MalwareBytes Anti-malware (I have V. 1.44) , and when ever I tried to open the explorer a box pop out it’s the same box was pop out when I was having the smart xp problem but now the fake AV not open as before only the box , I did connect the internet and tried to open the Firefox but it telling me there is no server and I cannot open or browse anything, also I tried to update the Avast and the malware also I couldn't.
I don’t know what I can do any advise please

Anonymous said...

This solution doesn't prevent the malware from occurring permanently. Every time Facebook is visited, the malware installs itself again. Are we supposed to avoid Facebook, Myspace...forever?

Anonymous said...

Yes you can. I am right now.

Anonymous said...

Ît seems to be from the flash player

Dyark86@yahoo.com said...

Got it a week ago after Raptr messenger updated and I elft pc running while I went afk.
Ran scans in safe mode with networking and I thought I got it. Installed McAfee suite next day.
4th Day about 3am I was afk again came back to see it Slapping me in the face, spent hours running various scans, I tihnk as soon as I reboot it will be back.

I've manually removes some Reg files associated with it, ran spybot, malware bytes, mcafee, mcafee's stinger for antivirus soft, patience is hard to come by :(

Adam said...

THANKYOU SO MUCH!!!
I was panicking for a bit..
Thought I was going to have to do a full format of my C:

Saved the day :)

Anonymous said...

thank you so much for the advice...you saved my pc!!

Anonymous said...

My computer got this virus - it will not reboot into anything...after you choose one of the (Safe mode, Normal, etc) it reboots itself. Also will not boot from a known good CD boot disk - any ideas?

Anonymous said...

In my case, even after I turn off the proxy in IE and boot in Safe Mode with Networking, Spybot Search and Destroy, Spyware Doctor, and SUPERAntiSpyware are ALL blocked from downloading any updated virus definitions. I can surf the web fine, but those sites "cannot be found."

...am I dealing with an "improved" version of this piece of crap?

Ron said...

Well I did not read all the post just wanted to put in my fix for my girls computer after three of different approaches Malwarebytes in safe mode did not work when I rebooted the Trojan would not let me open any .exe. Well my fix was HijackThis renamed to iexplorer on save. Luckily I installed this before running Malwarebytes because I couldn't get the air card .exe working after. The only thing that worked was starting Hijackthis as soon as the desk top came up on reboot before antivirus soft started and deleted anything looking suspect ie. pay software something also some 04 something . It worked and I immediately installed avast and spybot and did full searches. Good luck this thing is vicious.

Anonymous said...

MALWARE BYTES DOES NOT WORK!!!!

I have ran it in "safe mode" and normal mode and it is completely updated. It does not detect this virus.

Stacy said...

I've had this twice, the first time a few months ago, the second time was yesterday. I only go through about half the steps here to get rid of it. Malwarebytes doesn't seem to spot it for me, but I almost always have Windows Task Manager already open. I look for an unrecognized EXE file using a lot of memory when it runs and named as a random letter string, and have Task Manager disable that. Then, if the popups stop and confirm I got the right file, I go under Documents and Settings/user/Local Settings/Application Data/ and look for a subdirectory that is a random mess of letters. I look in there for the file I've stopped. In all cases the windows description has called it 'notification tool Avira GmbH'. I delete that, run any any-malware software I want to catch anything missed, and no more problem (until next time).

The last time I was hit with a double dose, and neither file had the expected *sftav.exe or *sysguard.exe ending. Both were *tssd.exe instead, so watch for this variant. To be specific one was subfolder 'ktrnlodwu' and file 'tiliblxtssd.exe' and the second was subfolder 'yfpktdwwp' and file 'utetbnttssd.exe.

As a note, I use Windows XP and Firefox. Also, given the number of legitimate sites this trojan has been found on, I have my suspicions it might actually be hosting itself on the ad-servers that display ads on multiple sites. Does anyone else have this suspicion or any ideas of good ways to keep it OFF my computer to start with?

Anonymous said...

Downloading hijack this worked! I already had Malwarebytes. I updated it and am running a full scan now. :)

Anonymous said...

I have a netbook with this problem. pressing F8 doesn't give me an option for safe mode with networking. can anyone help me solve this issue so that i can begin following the directions. thanks,

Anonymous said...

Fixed using System Restore. In Windows 7, if you press and hold F8 before the Windows splash screen comes up to enter advanced boot options, the top option for me was "repair your computer". I selected this and followed the onscreen prompts then it allowed me to use System Restore outside of Windows. The computer started up as if nothing ever happened.

Anonymous said...

You are so AWESOME!! lol Thank you so much.

Anonymous said...

OMG THANK YOU! I think! I've not checked if it's fully worked yet but all seems ok. Once again, THANK YOU!!!!

Anonymous said...

How in the world has this Antivirus Soft company not been sued into the ground? I tried calling that 1800 number that they have listed and it says "we're sorry, this number is temporarily unavialable" I was really hoping to chew someone's face off.

There is no way that this fake business can be legal, can it? I'm pretty sure NONE of us has authorized it to be on our systems...

Anonymous said...

Thank you, I had this just now and was worried and didn't have a clue. I have Norton internet security installed, but it was no use. Contacted Norton online help and they were trying to charge me £114 to fix this.
Only did a system restore to the previous day and it has resolved the issue. I hope I don't get this annoying thing again.

Anonymous said...

I ran malwarebytes which located the virus but didn't remove it. I launched Task Manager as soon as I rebooted and watched the processes, but didn't know which ones to end. Then I ran Search for any .exe files created on the day I got infected. There were only 2 and one was running. When I ended it in Task Manager the alerts stopped, so I deleleted those files and all was well.

Anonymous said...

Thank you thank you soooo much. You totally saved my bum, what with not having to tell my dad that the computer got a virus.... I hope whoever came up with this stupid virus thing, gets something ten times worse on their computer. You're a lifesaver btw. :D

Colin said...

SERIOUSLY A SOLUTION:

Run your computer in safe mode with no networking or anything.

run "System Restore" and pick a recent point to before you were infected. (Start menu then type in System Restore in the search bar)

This stupid ass program will stop you from doing a system restore in normal mode, so you have to be in safe mode.

Anonymous said...

Thanks a lot. The info here helped me a bunch. I'm using Vista... when this virus got me I already had malwearbytes and spybotS&D. I ctrl+alt+del and chose Log Off. Then I logged back in and was able to ctrl+alt+del to get into task manager before the virus started blocking programs. It was easy to then pick out the [RANDOM].exe and kill it. Next i ran msconfig and unchecked the [RANDOM].exe. Then I fixed the proxy server issue in internet explorer to get back online. Ran Malwarebytes and SpyBotS&D and got the bug out. Even aquired it a second time using Stumbleupon toolbar and easily killed it the same way.

Anonymous said...

Still trying to remove from son's computer with Vista. Downloaded Spybot, but virus kept disabling, even in safe mode. Norton's found a "trojan" and supposedly removed it and popups have stopped. Was able to uncheck Proxy on IE, but not the other box below it. It's shaded and will not allow access to change. Computer seems okay as far as popups, but still running slow. Trying to do a system restore to a point prior to problems, but appears that is "locked up". Any suggestions?

Anonymous said...

Okay I really appreciate this site. However I seem to have a strange problem. I managed to disable it, I went and altered my registry, updated all my antivirus, adaware, spybot, and malware bites and it caught some other items. Everything is running good, did a restore to a week ago...But I can't get into my C:\Documents and Settings\user Files! I keep unchecking read only and it keeps resetting it! Very frustrated.

J said...

I need some serious help with this one. I have tried a lot of anti-virus programs (malwarebytes, avira, spyware doctor, spyhunter, etc...) and, while they have all found some trojan, data collector or virus, none of them have completely solved the problem.
I no longer have the antivirus soft problem and the popups have stopped coming up on their own, but I am still having other problems.
I used to use Chrome, but after the attack it would no longer work (no matter what I did or where I tried to go it would simply say "loading..." and not do anything).
Both IE and FireFox have issues of random websites trying to load at any given time when they are being used and sometimes, instead of loading the page I am trying to get to, they attempt to load an entirely different page.
I will shut down the browser(s) and when I attempt to restart them they try to load and simply shit down.
I really don;t know what to do. I do not have a system restore point before this happened (I thought I had activated it, but apparently I was wrong) and my laptop did not come with a Windows 7 restore CD. Help please.

Anonymous said...

hi i had threatfire running and it stopped the malware processes and was able to get rid of the malware antiviris through malwarebyte without loosing my internet conection or going into safemode

Anonymous said...

duude please help me. I got this virus today after i opened up a file that was sent to me by a friend (should have guessed as he never sends anything). Anyways I'm up to the bit where you need to enter safe mode with networking and hit connections and then untick those two boxes, well in safe and normal mode their ticked but in safe mode with networking their not. Thats the bit i'm up to and i cant get passed anything else because of those boxes. what do i need to do inorder for me to tick the two boxes in safe mode with networking. I'm running on a windows xp

Anonymous said...

THIS WORKS 100%

Simple as 123

Restart your computer using SAFE MODE with Networking..You can do this by shutting down your computer/laptop and restarting by pressing F8....after you have restarted your computer in safe mode go to

1)START MENU and click on RUN.
2) Type in Msconfig
3) Under the Startup tab scroll all the way down and unclick any programs(Usally it will list start up item as iptijdmc or something weird chartacters and the manufacturer as "unkown". Unclick or unlight it then click apply then it will prompt you to restart your computer.
4) It should work fine now......

Anonymous said...

lol like many who have posted before me I have also fallen victim to this foul beast of a plagued virus - disrupted my entire Anti virus programme - and infact it crippled my anti virus software as well - AVG didnt detect it at all - however NOD 32 anti virus did and I got rid of it the first time round - now unfortunately I got it back again - used all methods - system restore, 3 safe modes, c cleaner, ad adware, spybot etc - none worked - not even combo fix

in the end tried - malwarebytes - took 13 hours but only ended doing half the job - did it again - took 9 hrs and now it seems to be working fine

also I did experience some internet problems but following the advice Annonymous gave us

Anonymous said...

@MArch 1, 2010: Avsoft also changes your Internet Explorer settings to force you to use a proxy. To fix this, open Internet Explorer and go to Tools -> Internet Options -> Connections -> LAN Settings and UNcheck the box for "Use a proxy server" and the one below it for "Bypass proxy...". Then you should be good to go.
March 1, 2010 3:49 PM

My internet problems were resolved

Thanks very much for posting this as it has sorted out my problems and saved me from losing my laptop pc with all my uni work on it and saved me a fortune of having to go to pc world as well

God Bless u Admin and Rogueamp

King Klass

Anonymous said...

Thanks for the info, I couldn't boot into safe mode but I did have Hijack This, I renamed HijackThis and did the scan. Found 1 line in section 4 that didn't make sense, after deleting the entry it stopped and I was able to run MalwareByte, excellent fix, now we just have to castrateb the prick who delivered it!

Anonymous said...

This comes from facebook..not facebook but lamebook so if anyone has joined that group get out of it. I received this virus after reading stuff on lamebook.com.

Anonymous said...

IT IS MAY 30, 2010. I JUST WENT THROUGH YOUR VERY FIRST STEP (START IN SAFE MODE, UNCHECK LAN, DOWNLOAD MALWARE, RUN IT AND RESTART IN NORMAL MODE, THEN START MALWARE AGAIN) AND IT WORKED SUCCESSFULLY. I JUST WANTED TO SAY YOU ARE TRULY A BLESSING. I PRAYED ABOUT FINDING SOMEONE FOR FREE TODAY THAT CAN HELP ME GET THIS VIRUS OFF MY COMP.

WHICH I NEED TO INFORM EVERYONE THIS VIRUS CAME FROM ONE OF THOSE FREE MOVIES ONLINE SITES, WHERE YOU CAN WATCH THE LATEST MOVIES. THIS DIDNT START TAKING PLACE UNTIL THE SECOND MOVIE HAD BEGUN. ANYWAYS I AM FOREVER THANKFUL.

BESTBUY WANTED TO CHARGE ME 199 TO DO THIS SO THAT I CAN KEEP ALL MY EXISTING FILES, PICS ETC... OR 129 TO REMOVE ALL VIRUSES AND RESTORE COMP TO ORIGINAL SETTINGS, FROM HITTING F8, WHICH I WOULD HAVE LOST EVERYTHING EITHER WAY.

I JUST WANTED TO SAY THANKS AND KEEP POSTING ANY OF YOUR BRILLANT TRICKS AND IDEAS.

FROM MS FOREVER THANKFUL "D"

Anonymous said...

How can I download safeboot key repair if even when I'min safe mode with networking I can't go on the internet!?

Anonymous said...

The worst thing about this thing is, even if you know its fake you cant run your legitimate software to get rid of it.

For those that dont know how to start in Safe Mode and access to another computer to get the answers you would be screwed.

Anonymous said...

I got this virus last night and i have done all that was instructed on the video and on this site, im not receiveing any warning signs and i do not see any signs of the antivirus software, but i am unable to get on to the internet and even worse i can't even use a the usb port or the cd drive because my laptop isn't picking any of it up. i'm not sure what to do i can do any scans or download anything due to these problems so i'm not sure what to do. Can some one help? I'm tired and i just really want to to a system restore but im not sure how. because there is not a previous restore date except the for the time when i got the virus. Please help..

Blogger24 said...

I tried several other things before following your instructions, but my computer is running very slow now. I am not sure if i deleted the wrong items. How can I find out or restore items lost?

Anonymous said...

I followed your instructions and then looked under "msconfig" startup menu and noticed three "unknown" items that I recognize as part of the virus. One ends with pvmvumftssd.exe. I tried to search and then delete these items, but it cant find them. Are they gone? If so, why do they appear in the startup?

Transpontine said...

Thanks for all the advice - the internet may be a stalking ground for idiots like the ones repsonsible for this virus, but it's also a place where we can share out collective intelligence on how to solve problems...

Like others I had problems connecting to the internet while infected so couldn't follow the initial advice given here. But this worked for me: start in safe mode (press F8 while booting up, then select safe), then choose the 'System Restore' option and restore to a time before the problem started. The I ran malware. My problem started with downloading music from a zshare site (I never learn), I actuallly saw it happening - a black window opened on the screen and I could see that something was going on in 'local settings'.

Although I seem to have got rid of Antivirus soft, I have been left with a residual problem as I now have links being misdirected from google. So if I do a search and click on a link, instead of going to the site I selected I get misdirected to various random shopping sites. Any ideas?

Anonymous said...

Thanks!! I have been trying to get rid of this virus all day. Thank goodness I have another computer so I could find this very helpful information. Can't thank you enough

Anonymous said...

I would just like to say how grateful I am, thank you so much for your help. God bless you.

Branden dicoster said...

I never got "antivirus soft" on PC. I have some malware infections. how to remove them. help?

Anonymous said...

I believe I got his with the virus today because of Twitter.

Anyone else get it from Twitter? I don't go to facebook or Myspace, just trying to narrow it down.

Anonymous said...

SmitFraudFix removes Antivirus Soft very well. Search it in google and click the first link 2 download.

Anonymous said...

Thank you so so much...I realized after three of the cmputers in my house had been infected that it was from playlist.com and your instructions made it so easy to get the spyware off the computers. Thanks!

Brown said...

I had antispyware and antivirus protection on computer. whenever any rogue software get installed on system, my virus and spyware protection program detects it.

Nattalie said...

in the middle of the scan in safe mode, my computer just shut down....and now it won't turn back on...help!

Anonymous said...

used super to remove antivirus soft and it worked nicely - but also had to use TDSSKiller to get rid of the tidserv request that kept trying to invade my computer

Anonymous said...

By Far the most comprehensive thread I've come by, Thank you all for the extremely insightful information. Not having to surrender & toss over my laptop to the scamers at Geek Squad made me sooo happy!

Infected on : 7/6/2010

Symptoms: AV Security Suite, pop-ups and computer trying to access "porno.com" and "adult.com"

Attempts:
>MalwareBytes - Found 8 infected files, Deleted but when computer was restarted it was frozen on my desktop, not able to open any programs, not even start menu or task manager.

>Downloaded SpyBot, HijackThis and Avast antivirus - (attempted in safe mode with a USB, downloads from another computer) spybot unable to finish installing, HijackThis unable to finish installing, Avast found nothing.

>Searched files - Found nothing with "sftav".

>System Restore - Successful so far!

Sharif said...

Awesome!!! Thank you. You can use Superantispyware/Portable as well without having to save anything to your computer. :-)

Anonymous said...

I just got this virus yesterday. I've been trying to do a system restore like some people suggested, but I haven't been able to. When I try in Safe Mode with networking, I get a message that I can only restore in normal mode. When I try in normal mode, the virus blocks me from clicking the System icon in Control Panel. Any ideas? Thanks!

Anonymous said...

Does anyone know something that will block this goddamned shit from coming back??? I have gotten this f'ing thing on my computer 10 times in the last month! I haven't installed anything, I am not going to porn sites or anything like that. I have no idea how the hell it keeps coming back! You'd think my company's $2000 a year Symantec Antivirus would catch it???? NO!

Anonymous said...

Hi everyone, i just got infected by this fake antivir thing. I did what you suggest, run SafeMode, download SuperAntiSpyware, scan once (it founded several things but not the good one) i did it a second time on normal mode.

But the Antivir is still there, what can i do ?

Anonymous said...

Thank you so much Admin,I am a complete novice,got infected three days ago,your instructions for 'safe mode with networking' finally let me get control of my laptop,and Malwarebytes did the rest!

p.s re- unchecking the 'proxy server'
in the LAN settings,do i leave it as it is?

Admin said...

You don't want to use a proxy server for your LAN. See the image in the removal step #2, you should do the same. This option "Use a proxy server for your LAN" should be unchecked. Good luck!

Anonymous said...

Thanks a lot. Worked great. My kids called me a "hero".

Anonymous said...

Thank you so much. Hate when people are trying to rip you off in this way. Only took a couple of minutes after starting my pc in safe mode. Did a system restore to an earlier date and when rebooted ran malwarebytes anti-malware and that sorted the problem. Thanks again for the post on this subject. Highly appreciated.

Anonymous said...

Great Guide! Thanks

Anonymous said...

I got this lame thing yesterday. I am very piss..... I'll make my missing in life to hack those bastards' page

Anonymous said...

I went through every possible solution to remove Mareza fake antivirus, it had completely disabled my computer including my internet access so using a downloaded removal tool wasn't an option. In the end I simply started my computer in safe mode and restored it to the day before it became infected.
It was simple and no more virus.

Anonymous said...

i downloaded superantispyware and renamed it iexplore.exe before save it in safe mode. but when I tried to launch it, pop up comes up saying its not a right program for window 32.... I tried down loading spybot and tried to rename it both iexplore.exe and wonlogon.exe but stil not working.... what should i do?

Anonymous said...

And I've downloaded SUPERAntiSpyware on save mode, named it winlogon.exe, installed and updated it. But when I'm on Normal Mode I can't start AntiSpyware like it was before with the other programs. Any advices ?

Anonymous said...

I had this problem last night. Malwarebyte's Anti-Malware was able to locate the problem files. I used a program called RKill first which supposedly shuts downs any of the malware's processes that may be running in the background.

Anonymous said...

Oh man thank you very much this worked a treat i tried the second option using the hijack method worked awsome thank u thank u thank u.

Elisha said...

Someone please help me !!!!! Ok i have a friend who has a new lap top .. She had mcafee or how ever you spell that i am really upset right now ... Well the Eset come across her comp for her to buy it and install it so she bought it and now her computer is going crazy ... I go to control panel to uninstall it and its not there . I can not even sign on to internet explore .. To even download malwarebytes .. I am pretty good at getting rid of virus but this one is driving me crazy . I know that if i can download the malwarebytes i can get rid of it . But even in safemode it does the same thing .. Please help me and tell me what more i can do . I have even tryed to stop the process of it as well in task .

Anonymous said...

What a nasty piece of work this thing is! Thanks so much without this information I wouldn't have known how to get rid of it. Thought I'd lost a major assignment and it even affected my Iphone.
How are these people able to do this?

Haven't needed to down-load Malwarebytes but I'm keeping a close eye on things.

MLB2k11 said...

Such a wonderful post. Thanks a lot.

Anonymous said...

I got a antivirus last night. It calls itself protection shield 2012 or something similar. Do I do the same instructions for removal? I find it is simple to do a computer restore. How can I accomplish this with my PC completely disabled?

«Oldest ‹Older   201 – 327 of 327   Newer› Newest»