Saturday, January 30, 2010

How to remove "Antivirus Soft" fake security program? (Uninstall guide)

Antivirus Soft is a fake anti-virus program that is usually distributed through the use of fake online anti-malware scanners and various other bogus websites. Actually it's a Trojan virus, but it shows up as anti-virus software and even pretends to be a legitimate one. Antivirus Soft is a scareware or badware from the same family as Antivirus Live. Once installed, it simulates a system scan and gives a list of false computer threats or infections just to make you think that your computer is seriously compromised. The scan results are absolutely false, so don't worry. The only real infection is Anti-virus Soft itself. It will constantly ask you to purchase the program in order to remove the infections and to protect yourself.



Antivirus Soft video: (http://www.youtube.com/watch?v=LYHXOkRlOdM)


Screenshot of newsoftspot.com


This virus doesn't delete any files; your data should be safe. The main goal of this bogus software is to trick you into purchasing it, so please don't do that. If you already did, then contact your credit card company immediately and dispute the charges. Then removal Antivirus Soft from your computer as soon as possible and don't make any online payments while you’re infected. Read the removal guide below.

Antivirus Soft Demo virus is a very annoying scam,  it will display fake security alerts and error messages stating that particular software or web page is infected like every one or two minutes. The fake message reads:

"Application cannot be executed. The file [program].exe is infected.
Do you want to activate your antivirus software now." 


The biggest problem is that AntivirusSof won't let you to download or install legitimate anti-malware software. You can try to remove it manually, but I think it will block Task Manager and other useful Windows tools to stop you. Instead try to restore your system to a previous day when your PC wasn't infected or read the removal guide below.


Antivirus Soft removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
If you can't reboot your PC in Safe Mode with Networking, download SafeBootKeyRepair and run it. Follow the prompts. Then reboot your PC in Safe Mode with Networking. (Before saving SafeBootKeyRepair.exe onto your computer, please rename it to winlogon.com or iexplore.com)

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download SUPERAntispyware, MalwareBytes Anti-malware or Spybot - Search & Destroy and run a full system scan. NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. Launch the program and follow the prompts. Don't forget to update the installed program before scanning. Then reboot your computer in "Normal Mode" and run  a system scan again. That's it!
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

Alternative Antivirus Soft removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for similar entries in the scan results:
O4 – HKLM\..\Run: [mxdeorsw] C:\Documents and Settings\User\Local Settings\Application Data\rmqwne\lkwcsysguard.exe
O4 – HKCU\..\Run: [mxdeorsw] C:\Documents and Settings\User\Local Settings\Application Data\rmqwne\lkwcsysguard.exe
O4 – HKCU\..\Run: [wdpayrmq] C:\Users\Owner\AppData\Local\rtpoma\rewqsftav.exe
O4 – HKCU\..\Run: [kgtrlpor] C:\Users\Owner\AppData\Local\mfkrtl\oprgsftav.exe
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555


The process name will be different in your case. But it has the same structure: [RANDOM]sysguard.exe or [RANDOM]sftav.exe 

Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download SUPERAntispyware, MalwareBytes Anti-malware or Spybot - Search & Destroy and run a full system scan. NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


Antivirus Soft associated files and registry values:

In Windows XP:
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\[random]sysguard.exe
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\[random].exe
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[random]\[random]sftav.exe
In Windows Vista & 7:
  • C:\Users\[Username]\AppData\Local\[random]\[random]sysguard.exe
  • C:\Users\[Username]\AppData\Local\[random]\[random]sftav.exe
By default "Appdata" folder is hidden. To unhide this folder (and others), open the Folder Options in the Vista Control Panel, and on the “View” tab, change the option to “show hidden files and folders”, and click ok.

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:5555"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
  • HKEY_CURRENT_USER\Software\avsoft

Share this information with other people: 

No comments:

Post a Comment