How To Remove Antivirus Live and Other Rogue/Fake Antivirus Malware
If you’ve got a PC infected by the Antivirus Live virus, you’ve got a tough job ahead of you to remove it. And we’ve got the instructions to help.
Antivirus Live is one of many fake antivirus applications like Advanced Virus Remover and Internet Security 2010, that are really rogue viruses that take your computer hostage—then they tell you that your computer is infected by viruses, and you have to pay them to get rid of the fake viruses that aren’t really there. It’s a huge problem, and they are not easy to remove, because they block virtually everything you try and run, including real anti-malware tools.
Removing Rogue Fake Antivirus Infections (General Guide)
There’s a couple of steps that you can generally follow to get rid of the majority of rogue antivirus infections, and actually most malware or spyware infections of any type. Here’s the quick steps:
- Try to use the free, portable version of SUPERAntiSpyware to remove the viruses.
- If that doesn’t work, reboot your PC into safe mode with networking (use F8 right before Windows starts to load)
- Try to use the free, portable version of SUPERAntiSpyware to remove the viruses.
- Reboot your PC and go back into safe mode with networking.
- If that doesn’t work, and safe mode is blocked, try running ComboFix. Note that I’ve not yet had to resort to this, but some of our readers have.
- Install MalwareBytes and run it, doing a full system scan. (see our previous article on how to use it).
- Reboot your PC again, and run a full scan using your normal Antivirus application (we recommend Microsoft Security Essentials).
- At this point your PC is usually clean.
Those are the rules that normally work. Note that there are some malware infections that not only block safe mode, but also prevent you from doing anything at all. We’ll cover those in another article soon, so make sure to subscribe to How-To Geek for updates (top of the page).
Let’s Remove Antivirus Live
The first thing you’ll want to do is reboot your computer, and hit the F8 key right before Windows starts loading (you can hit it a bunch of times). Then select the Safe Mode with Networking option.
Before you do anything else, you’re going to need to fix the internet connection to work, because Antivirus Live changes IE to use a fake proxy server that prevents you from getting to anything else—and will also prevent you from installing and updating a real anti-malware software.
Now you’ll want to install SuperAntiSpyware (linked above), which you have hopefully downloaded via another computer already, but safe mode with networking should allow you to download and install it.
Once you load it up, it’s going to do some analysis…
Then you’ll see the full application screen, where you’ll want to use the Check for Updates button to make sure you have the latest definitions. Once you’ve done that, click the Scan your Computer button.
Select your primary drive at least, though you should pick all the drives, and then click the Perform Complete Scan button.
It’ll run for a long time, detect a bunch of stuff, and then you can proceed through the wizard to actually removing it all…
Once it’s all done, you can reboot the PC again (just make sure to go back into Safe Mode again).
Next you’ll want to install Malwarebytes, make sure to check the Update tab for the latest definitions, and then perform a full scan of your system.
Malwarebytes will find even more malware that SuperAntiSpyware missed (seems like you always need more than one util to get it all). Just be sure to click the Remove Selected button to get rid of the rest.
At this point you’ll want to reboot your system, and then install Microsoft Security Essentials and run another full scan. Can’t hurt to be too cautious!
Note: If you used a thumb drive at any point during this process, you should make sure and scan that as well—I’ve had viruses hop over to the thumb drive, ready to infect the next machine.
A small suggestion:
Before booting into safe mode, try booting to another “user” account. Some of these “rogue” anti-malware apps are stupid enough (thankfully) to only infect the active user. I’ve been able to, on several occasions, simply log out and onto another account (works even better if it’s an AD account that hasn’t been used previously on that PC as it creates a new profile) and check it out first. Could save you a lot of time.
This worked on some, but not all of the ones I have run into in recent memory, so as always, YMMV.
MalwareBytes offers a small free tool called RogueRemover, which removes infections like this one.
Hey just checked the site that RogueRemover has been discontinued! Sorry for the previous comment.
Great advise on how to get rid of those nasty fake anti-virus programs. I just helped a friend get rid of a few from her computer, although I did it differently. All the attempts that I made to clean it via safe mode were met with failure. It was a tough little bugger. So I took out her HDD and put it in my machine. I used my anti-virus (MSE)to scan it and it found and cleanded all of it. The only problem that I have now is that after I put her HDD back into her computer, anytime I try to log on to her desktop, it logs in, shows the desktop background, and then immediately logs out again. Something it up with the registry I believe so I will have to figure this one out too.
Great article and thanks for the tips!
-Spydey
In my experience, a much better solution is to load from an alternate Windows installation and then fix the issue.
When you boot into Safe Mode, you still run the same Windows that’s infected.
If you use something like the Ultimate Boot CD for Windows (www.ubcd4win.com), you can create a bootable rescue media with all the tools you need.
I ran across someone about a week ago who actually purchased one of those fake anti-virus programs. I guess they wouldn’t create those things if people were not buying them.
Might want to dump all the system restore points also. They can get you reinfected if you happen to use the wrong one. First step I use in cleaning any malware infection is to turn off system restore and dump the restore points. Hard part’s remembering to turn it back on afterwards…;)
or run combofix once… cleans 80% of the computers i’ve used it on, the last 20% have securities in place to prevent executables from running.
@Ronny
Yeah, actually I do that sometimes, or use a linux live cd (my favorite method). For this article, I was trying to explain the simplest method for regular users – even with a guide, most regular users won’t be able to figure out UBCD.
You’re right, usually Safe Mode is also infected – I’ve got another article coming up this week on how I dealt with one of those situations without requiring a boot CD, but I’m going to cover your method in the near future as well.
Using ComboFix first paves the way so that you can install the AntiMalware program since in most cases you will find yourself looking at a “corrupted file” or lack of “administration rights” needed for install. Also using X-RayPC allows you to selectively kill active processes from the Malware that rebuild creating an environment needed for further cleaning. And most important, most versions of the FakeAlert malware hide within the System Restore, therefore it is imperative one DISABLES System Restore prior to the actual cleaning. XP machine cleaning is easier than attempting it on Vista or Win7, and on those last two mentioned, I will use a file recovery program to save the owners important files, reformat, and then reinstall the operating system.
Too bad this article wasn’t done a couple of days ago, one of our computers got infected by this and I had to put it inside another of our computers, took a couple of hours. So time consuming these things are.
Although I’ve been using Malwarebytes for some time, I found the current version to be buggy and causing fatal system error.
Tried to follow the procedure, but I got an error when trying to install SuperAntiSpyware in Safe Mode.
I had tried Malwarebytes to remove similar kind of infections in normal mode. It works most of the time but when it fails I end up by reinstalling the OS. I reinstall only if none of the steps works which includes the safe mode scanning too.
We’ve been dealing with this issue at my work for several months now – off and on. One thing I’ve found that makes life easier, is if you can manage to install / run SuperAntiSpyware on the infected account shortly after that user reports the issue **WITHOUT** rebooting / logging off. I’ve noticed that once the user has logged off(?) or the computer is restarted, the virus digs itself in a bit deeper.
Often a error message will pop up saying “This file is infected and can not be ran.” – or something equivalent to. Just move the message box to the side (don’t click OK or close it, just move it), try re-running the setup file for SuperAntiSpyware, and it should actually run just fine – tho you may have to right click on the program and “Run As” an administrator.
These pesky infections are such a thorn in my side anymore. The procedure posted in this article is right on the money, though I would highly recommend trying to run SuperAntiSpyware as that user BEFORE they reboot the computer. Once the computer has been rebooted, it often takes longer to completely disinfect. That’s just been my experience with it anyway.
I used to run Super Anti Spyware from ubcd for win but stopped cus’ i figured it didn’t do anything due to the fact that it needs to reboot to remove and rebooting flushes the ram so nothing happens….right???
cheers,
Geek! Way to give away the ticks of the trade.
I do a lot of repair via remote connection, so UBCD is not really an option. I would say these programs are the foundation for quick Malware removal, but not for a full repair. Hence, your proxy fix.
Keep up the good work Geek!
@piagetblix
That is more or less the point of the reboot. It allows the deletion of files before they can be loaded into RAM. Reboot to remove works, trust me.
@Titan Boo-Boo
Are you referring to running Super Anti Spyware from within safe or normal modes OR are you referring to using it withing the UBCD PE environment, where I am under the assumption, it cannot script the startup removal since it is running in a RAM Disk and that will be flushed upon restart….
Cheers,
Safe mode would work, UBCD most likely not.
Call me paranoid but once a computer is infected with malware I’ll never fully trust it again. Reformat!
Or better yet, keep a clean backup image and of your system and just revert to that.
Thank you OLDPHART for the tip on trying ComboFix it worked for me while running in normal mode! Just remember to change the file name when you download it to your desktop, otherwise the virus will recognize it and prevent you from opening the file.
I find that this method/procedure usually is a winning combination.
Step 1 – Turn off system restore.
Step 2 – ComboFix in safe mode.
Step 3 – MalwareBytes, SpyBotSD, and SUPER AntiSpyware in safe mode.
Step 4 – Rerun MalwareBytes in normal mode.
If you’re locked out of the OS, use SpyBotSD and Avira from UBCD4Win to get a head start.
I know my bits and pieces about computer/laptops, but not as much as I use to a few years ago, hence why I totally freaked out and got stressed last night trying to sort this little problem out, thank god I came across your article! My only problem is, how do you fix IE? This slightly confused me, can you try and explain this to me, in nice and simple language, the jargon confuses me these days, thanks
Just thought I would mention… the first step in the article mentions to boot to safe-mode and install Superantispyware. The Superantispyware installer uses the “Windows Installer,” which is almost always disabled in safe-mode. I imagine just a typo, though.
I had the Antivirus Live problem. It’s not a virus. It acts differently than a normal infection. It has coding in it that breaks down your restore settings and therefore must be replaced. So unless u have a backup, you can’t relplace those system restore settings. I used Malwarebytes but had to change the exe. name to just m. Otherwise this rogue program erases it and any other such programs. My advice is to relax, you’ve got a long frustrating battle ahead
I was not able to access safe mode at all, so i chose “last known good config” and it loaded windows without the virus. I had SuperAntiSpyware, Malwarebytes and Microsoft Security Essentials loaded on my flash drive, so i installed and ran them from there. They located/deleted the rogue agent and a lot of other crap….works like a charm!
I have tried “EVERYTHING” suggested on your website as well as many others over the last few days trying to get rid of ANTIVIRUS LIVE and nothing works! I was able to get into “safe mode”, but then my arrow keys wouldn’t work. I contacted STAPLES technology department and was told that this was definitely a virus that only they could remove…$129 for virus removal and another $29 to install an Anti-Virus program. I was told I could follow all the instructions found on the Internet to remove it, but I wouldn’t be successful. Again, I’ve tried changing the LAN settings, tried to download software on USB stick and transfer into infected computer but computer won’t even allow me to execute control panel. Is there anyway or other suggestions out there to resolve this without taking the entire computer in to someone like STAPLES? I’d appreciate any further assistance. Thank you in advance.
Just a quick thing to try that worked for me if the virus has disabled safemode and task manager and the ability to add or remove any program on the computer like it had for me i was able to “beat” the virus by restarting windows and the instant my desktop popped up opening task manager and ending the process that is the virus (is will always begin with a random word/letters but looks like this [random]sysguard.exe) this allowed me enough time to take the other steps to remove the virus without it blocking everything as it takes a few moments to put into place all of its blocks.
Hey, I just ended up with the rogue virus this week. It is really making me angry. Thanks a buttload for the tips. If this doesn’t work I can at least take it in for repairs. All I have to say that ANTIVIRUS LIVE is really one tough mother. Thanks again!
Ditto what Alex said. I rebooted when Antivirus Live started overwhelming me with “Infected!” messages, and noticed that there were a few seconds’ lag between when my desktop popped up and Antivirus Live appeared. So I rebooted a second time and as soon as the desktop appeared I immediately hit Ctrl+Alt+Del to pull up Task Manager and as fast as I could ended all the processes under the local user (i.e., not the user called “System”) that I didn’t recognize (of course, I was reasonably familiar with what that list is supposed to look like; I wouldn’t recommend people trying to do that if they’ve never been in Task Manager before). Antivirus Live didn’t load this time, so I downloaded SuperAntiSpyware and Anti-Malware, updated by anti-virus program (Avast), and started following the instructions in this article. Scans are still running, we’ll see how it goes!
I almost forgot to mention: Can someone please write about where this program came from in the first place? I’m generally very safe with my browsing. Antivirus Live popped up when I was browsing the reasonably-popular Blue Mountain online greeting cards site (www.bluemountain.com), which I’ve been to before and never had problems with, and I don’t recall doing anything there other than playing some greeting cards… I suppose it came from there, but HOW?
First of all, I’ve had Antivirus Live twice! The first time I had no idea what the crap was going on because I had Norton. I shut my computer down for about a month, meaning to get it fixed. That time I turned it on to see what was going on and it had somehow miracously gone away. This time however, I do not have the luxury of being computer-less. Did some research and found out it was fake wehich really frustarted me! This directions were awesome! Straught-forward, easy and very understandable. Thank you so much! The only question I have now is the Antivirus Live is gone, but I am unable to connect to the internet using my wireless or my DSL cable. Any suggestions as to what try or do next?
I got this this morning, I was going crazy seeing how it wouldn’t let me into taskmanager or the control panel. I followed the steps on here. After I was in safe mode It wouldn’t let me install SuperAntiSpyware saying I didn’t have administrator rights to do it. I then tried the MalwareBytes and it installed. I let it run on my system drive & fixed the problems it found. I then rebooted & everything seems to be fine. I am now starting scans with Microsoft Security Essentials which the running immunizer already cought a couple & am work now waiting to go home. I have checked with home and the scanner has finished fnding 4 more registration keys which I’ll take care of when I get home. I just want to thank all of your for all the great advice. What a bitch. lol
Quisquose-
I was also attacked by antivirus live and i too was searching for an e birthday card on blue mountain. Sometime during my playing of cards, thats when the error messages occured. Confirmed- blue mountain is the culprit.
To Quisquose…I didn’t know where or when I got ANTIVIRUS LIVE, but when you mentioned “Blue Mountain Cards” that hit home. I was on “Blue Mountain” when my computer went into a “STALL” and then completely “FROZE”. I wasn’t able to review or send the card I intended and I had to press the power button to shut down the computer. I sent the Blue Mountain card via my laptop. When I returned to my original desktop computer, I was faced with ANTIVIRUS LIVE. I now believe it came about during my “BLUE MOUNTAIN CARD” experience. I’m going to give “Alex’s” suggestion a shot. If unsuccessful, I’m going to give “Summer’s” method a shot…LET IT SIT FOR A MONTH!!! This should be ILLEGAL!!! Good Luck to All who dealing with this pain in the #%& VIRUS.
Alex or ANYONE…is there any other name to identify the ANTIVIRUS LIVE in Windows Task Manager besides (random) sysguard.exe? I’m able to bring up Task Manager, but there’s no sysguard.exe under Image Name for Processes in order for me to “END” Process and continue.
Thanks to all in advance for any assistance.
I”m in the process of repairing a friends system that was infected with this bugger.. I was able to nuke the process by using ctrl-alt-del as early as possible after initial login to bring up task manager while all the ‘autorun’ stuff was still starting up.
Before that, once the ransomware had been loaded, it intercepted any effort to start any process killer apps (for that matter, ANYTHING I tried to run) so you really have to ‘get there first’ as it were in order to kill it. I just watched the tasklist in task manager as the various autorun stuff loaded and as soon as I spotted ’sysguard’ I nuked it.
Gabrinski, it is illegal, companies doing this kind of things in the US have been sued and shut down by various states attorney generall. However these particular folks appear to operate out of Russia. (at least according to the whois data on the URL they use to take your money and ‘activate’ their bogus ‘antivirus’ product)
Summer, did you follow the directions and remove the checkbox in the network section of internet settings? The directions above could perhaps be clearer on this,, but what you want too do is REMOVE the checkbox next to “use a proxy server for your lan…” They show a screen shot with it enabled (as it will be when you open the UI) but could perhaps be a bit clearer in the picture that you need to uncheck that option.
I fixed the problem. i visited several sites to learn what worked in fixing the problem and also to make sure that the advise being given on the internet was accurate and wasn’t an attempt to trick me into dowloading a dangerous virus. After much research, I followed the above steps up to the change the LAN settings. After changing the LAN settings, i did not download the super antispyware program suggested only because this was the only site i came across that suggested it. Instead, I downloaded the malware bytes antimalware program because i saw that it got good reviews on cnet. After downloading it it wouldn’t launch and it was then that i shutdown my computer and restarted it in safe mode and then it did launch. I did a full system check and 4 trojans were found. I had the program remove it and now I’m golden. Problem solved. I just don’t know if the malware antimalware program will protect against spy ware so i will have to do additional research on that. In the meantime however, no more annoying false “i have an internet virus” messages and no interuptions.
Um quick question when i attempt to download SuperAntiSpyware in safe mode my windows installer is unavailable during safe mode why is that?
I was infected with this scumware, it’s one of the nastiest I’ve seen in terms of preventing the user from removing it. There is apparently more than one version, and the new one blocks ALL executables (other than Internet Explorer, which give you a message saying that the web site you were trying to access is dangerous, and providing links to “protect your computer” regardless of what web site you try to access), so you’re crippled in any attempt you make to remove the virus. Note that Firefox can browse the web unobstructed, *if* you already have it running when you’re infected, but that doesn’t do much good, because you can’t run any removal utility you download.
If you have another computer running Windows on your network, you can kill the virus remotely using the following procedure. This method doesn’t even require rebooting.
1. You will need the psexec, pslist, and pskill utilities from Sysinternals. If you don’t already have it, download the Sysinternals Suite (on your uninfected computer, of course) from:
http://technet.microsoft.com/e.....42062.aspx
Unzip the file into a directory of your choice. No further installation is necessary.
2. Open a command prompt and navigate to the directory containing your Sysinternals utilities.
3. Enter the following command:
psexec \\[infectedcomputer] cmd /c net start remoteregistry
[infectedcomputer] is the name of your infected computer (do not add the brackets).
This starts the Remote Registry service, which is necessary in order for the next step to work. You should receive a message saying “cmd exited on [infectedcomputer] with error code 0″.
4. Enter the following command:
pslist \\[infectedcomputer] | find “sysguard”
You should receive a single line of output in the following format:
####sysguard 5344 13 1 173 2704 0:00:00.203 0:00:02.359
The #’s are some random characters. The first number following the name of the process (5344 in this case, but yours will be different) is the process ID (PID).
5. Enter the following command:
pskill \\[infectedcomputer] [PID]
Again, don’t include the brackets, just the computer name and the PID number (e.g. “pskill \\HAL9000 5344″). You should receive a message saying “Process [PID] on [infectedcomputer] killed….”
(Yes, I snuck in a “2010: A Space Odyssey” reference in honor of the new year. I am a geek, I admit it…but if I weren’t, I wouldn’t know how to defeat this virus.)
6. On the infected computer, you should now be able to run applications. Remove any of the following registry entries that you find:
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:5555″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = “.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[RANDOM CHARACTERS]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “[RANDOM CHARACTERS]”
7. Delete the virus’s files. The location depends on which version of Windows you’re running.
Vista: C:\Users\[username]\AppData\Local\
XP: C:\Users\[username]\Local Settings\Application Data\
2000: C:\Documents and Settings\[username]\Local Settings\Application Data\
In this location you will find a file called sysguard.exe, and a subfolder whose name is some random characters and contains ####sysguard.exe. Delete them both. I recommend using Shift-Delete, so that the virus’s files don’t live on in the Recycle Bin.
OFF-TOPIC PUBLIC SERVICE ANNOUNCEMENT: Always make regular backups of your personal files. If you don’t, you WILL lose those files sooner or later. It’s not a question of whether, it’s a question of when.
I shut down the computer and turned off my Internet connection (shutting off the wifi). I rebooted with no problem. I then renamed malwarebytes “m” as one commented suggested. My scan found three Trojans.
I downloaded superantispyware on another computer and was able to install it. It’s running now.
I did not have to boot into safe mode to do this. Thanks so much for the advice here! Very much appreciated.
Alex or Anyone Else
Alex’s suggestion listed below worked like a charm for me. Thanks alot for the help.
“Just a quick thing to try that worked for me if the virus has disabled safemode and task manager and the ability to add or remove any program on the computer like it had for me i was able to “beat” the virus by restarting windows and the instant my desktop popped up opening task manager and ending the process that is the virus (is will always begin with a random word/letters but looks like this [random]sysguard.exe) this allowed me enough time to take the other steps to remove the virus without it blocking everything as it takes a few moments to put into place all of its blocks.”
I am trying to run superantispysoftware but it tells me the administrator won’t let me.
what todo?
I was able to kill with task manager. Didn’t even have to kill it before it started doing stuff, just had to get task manager up before it prevented that. Just finished superantispyware scan and moving forward.
Thanks for help from multiple posts!
Chuck vdl and ALL…UPDATE, SUGGESTION and POSSIBLE FIX to ANTIVIRUS LIVE….After researching and trying to accomplish the various ANTEDOTES provided on this site and other sites, my computer sat “POWERLESS” for 2-3 days, thankfully I have other computers to utilize. When I turned on my computer (WITHOUT ACCOMPLISHING ANY OF THE SUGGESTED REMEDIES)…the ANTIVIRUS LIVE was no longer present?!?!? I immediately turned off the computer and restarted it to see if it would return…..”NOTHING”. It was as though the ANTIVIRUS LIVE had DISAPPEARED!. I searched the Internet (on a different computer) to seek a “FREE” download for virus protection and ended up choosing Panda Cloud Antivirus Free Edition 1. I downloaded and installed (only chose the 20 free fixes). Today I went and purchased Norton Internet Security 2010 (STAPLES $59.99 for 3 PC’s — it was on sale up until 1/16/10 with a $40 Rebate…I got $20 off today from Asst. Mgr…3 PC’s for $39.99). Installed and haven’t experienced ANTIVIRUS LIVE since. SUMMER above stated a “MONTH” of no usage and ANTIVIRUS LIVE had “miraculously” disappeared…possible fix may just be turning the power off the computer for at least “2 or 3″ days to see if this virus will disappear. No harm in giving that method a shot if you can afford being without your computer that long. Just another suggestion/experience…GOOD LUCK!
Thank you so much for your guidance! You put an end to my tears fairly quickly!
Thank you so much it worked like a charm for me
Now I don’t have to wait for my comp-tech friend. This really saved my ass. Thanks again!
Many thanks. Running SuperAntiSpyware and Malwarebytes each in safe mode appears to have cleared up the problem. I’m still running McAfee now, but I’m taking it as an excellent sign that I can even access the program.
I’m definitely going to have to do some reading up on how one gets infected. I hadn’t been to Blue Mountain like several other people had mentioned. Right before the attack, I’d been trying to remember a joke and Googled up a joke site. It’s not the type of site I normally visit, and I don’t even remember what it was called. I’m feeling like a bit of a moron for even going, but I get the feeling that’s where I picked it up.
Another tool to try – if you know how to build it is BartPE – or VistaPE. Boot into these CD OS environments – you will not have any virus active – and you can begin to look thru your C drive.
This virus in a tricky varriant leaves many references to ******sysguard.exe on your system – but i found on my last machine the ******* was the same everywhere for that machine.
So with a clean boot – find the reference in msconfig (if it exists) – look for new folders in c:\program files\…… and identify the exe file from there, open up a DOS window and from c:\ do a dir *******.* /s to search your whole c drive for files with the same first few letters. You might find them in temp areas, c:\windows, c:\windows\system32. Delete them wherever you find them.
Then boot back up in real mode, fix your IE proxy, dump your restore points, dump your temp files, and load up all of the scanners mentioned and run a full scan.
After 2 days of working fine, it reappered while I was at work. After finding out it wouldn’t let me run anything again, I rebooted, This time my computer wouldn’t let me into safe mode & just rebooted windows. It seemed to be working fine. I ran all three progs here & spybot. After that I was getting a couple of small popups with the usual warnings from a website. After a couple of popups the Microsoft Essential started catching things in the IE temp files. After about a half a day of clicking clean computer & running the progs acouple of times, Spybot still comes up with the same 2 problems everytime, but all the other ones come up clean. So far, fingers crossed, I haven’t gotten the popups for about 5 hours now. If they reappear, I’m just formatting.
I have this virus on my laptop. Window task launcher will not allow me to follow these instructions. I’m going to power down for a few days to see if what Garbinski suggests to do will work.
@ the Geek, you said,” Note that some malware will block you from using safe mode. That usually requires another set of steps that we won’t cover here.”
Are you going to cover this soon, or have you already, and I can’t find it?
Thanks for the article, and there have also been some helpful tips in the comments section here too!
Odean
@Odeho19
Yeah, I’m writing that up, got a whole series planned on this.
I just had this nasty virus invade my laptop about 90 minutes ago! Took the IT techs an hour to remove it.
-Restart – hitting F8
-safe mode with networking
-deleted all temp files/cookies/history
-returned internet settings to default
-ran malwarebytes and removed all infections detected
-restarted – hitting F8
-System Restore to previous day
-Restarted in normal mode and problem was fixed!
i followed the instuctions but now opera cant accses the internet google and firefox can
but not opera help me
I have actually found if you simply log off or restart your computer, as soon as you can see your desktop, try opening malwarebytes’ or any program you need to that the virus doesn’t let you, for some reason you can open programs shortly after your computer is back to the desktop and the virus doesn’t interupt, i’ve found this useful hope you did aswell.
You have to reset the internet settings….one main problem this virus causes is it blocks the internet. And do a system restore while in safe mode.
THANK YOU SO MUCH!!!!!!!!!! Helped me a lot!!!! I don’t even know how do i get this viruses?
Woo Hoo!!!!! 4 FRIGGIN HOURS Later It looks like the dreaded ANTIVIRUS is gone. I will keep my fingers crossed. Thank you Geek
. I ran both Superantispyware and Malwarebytes in the safe mode. I could not for some reason get the Microsoft security Essentials to run but things still look good. This was huge for a non-computer savvy person like me to make this fix. Thanks again!!!
ANTIVRUSLIVE!!!!! Why don’t you just revert your drive to a time before you had the virus. Malwarebytes does ziltch to get rid of antiviruslive. I used system restore on my XP Pro system and voila antiviruslive was no more.
I can’t understand why no one has mentioned this method before but I must admit it took me a while for the idea to come to me as I had used it before but ages ago. Thanks
January 22, 2010 1:07 pm jamie
Hello- SORTED AT LAST!!
I’VE FINALLY SORTED THE PROBLEM after a very frustrating day! I’m not a techie in any way so I was literally trying to read forums from this as well as other websites. Please excuse any lingo below that seems amateurish!
The biggest problem I had was that even though I had downloaded the super antispyware the virus would not allow my laptop to run the application! It kept just coming up “The application etc etc etc is infected”.
When I restarted the laptop, I noticed that there is a period of approx 30 seconds to 1 minute immediately after the desktop appears before the virus actually kicks in. Once the virus has reopened or kicked back in, I am completely powerless to even connect to the internet.
If I connected quick enough after re-starting I was able to get online at least where I could check forums such as this one as well being able to download the Super antispyware.
As mentioned above though, once the virus has kicked in on your OS, any subsequent applications will be prevented from running. Save the SAS to your desktop for speedy access. Once you have successfully downloaded the SAS, re-start your system and run the SAS immediately when the desktop appears and go through the recommended steps, ie, scan the entire computer (my scan took 35 minutes), remove all viruses and then roboot- and then hopefully you’ll be back in action- Hope this helps!
Thanks a lot for being there for me when I needed you. When Antivirus Live kicked in yesterday I was fortunate to have Firefox already running and so was able to find this web page and – especially – the invaluable information I found in the Comments section. Otherwise I’d be unhooking my PC this morning to take to my local friendly geek shop because this virus/malware/whatever had me completely blocked and dead in the water.
Key to my getting a handle on this were the tips about intercepting it at startup by ending the —-sysguard.exe process. Thanks to those of you who shared that crucial information.
And secondly, thanks to Chuck vdL who clarified what to do when resetting the internet LAN connections, i.e. ” REMOVE the checkbox next to ‘use a proxy server for your lan…’”** I am exactly the kind of computer semi-illiterate who needed that to be spelled out. This page’s LAN instructions need to be corrected right now. That the screen shot provided shows the settings as they shouldn’t be is completely misleading to an idiot like me, especially w/out any helpful accompanying text about the process.
**Let me be even more clear:
REMOVE the checkmark next to”Use a proxy server…”.
PLACE a checkmark next to “Automatically detect settings”.
Now I’m up and running and apparently clean. SuperAntiSpyware apparently found most everything – 40 items. MalwareBytes found a couple more. Good luck to everyone who’s unfortunate enough to catch this thing.
P.S. I, too, caught this thing during what I thought was fairly unrisky web activity. I was visiting tourist sites and blogs re. a possible trip to Buenos Aires.
Desktop running Windows XP Pro:
SILVERTHEFOX, after I was able to log on with my laptop(uninfected) and found this page and others to find out what this thing was… I downloaded the 2 programs recommend above and went to my desktop(infected). Safemode was disabled with the standard methods, so I restarted and (could’ve opened taskmanager right away to kill the Antivirus Live process as it loaded, but didn’t need to) I went to the start menu and then Run. Typed in msconfig, and changed the boot options manually to safemode. I then restarted, computer went to safemode, and was going to go through the entire process. A pop-up window in safemode however said something about restore, and then a light bulb turned on in my head.
I restored to 2 days ago before the problem started. Restarted and no virus!!! Just to be safe I ran the Avast scan and did find one trojan so far as I am at 52% done with the scan, I am not sure that this was still left over from Antivirus Live, but figured it was a good time to do a little clean up.
To everyone that said they left their computers alone for a few days and then came back to find no problem… If I was the programmer of this virus, I would have it go and HIDE if the fake software purchase wasn’t made in 24 hours. Being that if you don’t shell out the money right away, you probably will find other means to get rid of this. And then a week later… BOOM it comes out of hiding for another 24 hours and the cycle continues.
I had this stupid, stupid virus yesterday. I went into Safe mode, deleted the sysguard.exe command that was causing all the problems and then went back in normally. I downloaded Malwarebytes and Superantispyware and spent the rest of the evening running them. I think I’ve got rid of everything – quite proud of myself for doing it all on my own (albeit while consulting message boards on my wife’s laptop).
Firefox runs on the computer, but Internet Explorer doesn’t. I shall have a look at the checkmark settings from two posts above this when I get home tonight.
FWIW … I restarted my computer four times in a row (I didn’t make any changes to anything), and amazingly the virus has not shown up this time. I am installing spyware programs to perform scans now, but at the very least, I’m not getting bombarded with fake messages, and I am able to install and run all programs again. I’ll update if something changes…but it never hurts to give the computer the ol’ restart.
Jim,
Start Internet explorer, I’m assuming Internet Explorer 8. In the browser, near the top, click on tools, then go down to internet options. Once in there, click the connections tab. On the bottom you should see LAN settings. Click that. Use a proxy server should be checked. Uncheck that. Click ok. You should be all set and able to surf.
The virus/malware set this to connect to localhost which was changed to redirect to the rouge websites.
I hope this works for you.
XT,
I try to uncheck that but the internet still not working anyone had any idea?
Heads up. The aforementioned scourge/malware also took over my “toolbar”. Meaning that the icons in my tb are no longer what the once were and my audio drivers were erased/corrupted. Any other possible missed consequences of this bug. Many thanks for all the previous help and info.
Thanks to all that mentioned rebooting and hitting ctrl-alt-del and stopping the program from the task manager. We were infected at work and was able to access this site from another computer.
We still haven’t fixed the problem as we have a computer guru that is a “friend” of the owner and only shows up when he feels like it but gets furious if we try anything on our own. Forget that I have a masters in computer programming. But we won’t go there. Still the above trick has at least got the infected computer up and running for now.
For those curious about how you might have got the virus:
Usually these style of fake spyware attacks come in from pop-ups asking if you wanted a free virus scan but no matter what you click “yes” or “no” it automatically starts downloading as if you said yes. Your best bet if you get any unsolicited pop-up is to stop the process from the task manager. Odd thing in our case is that only suspicious thing the supervisor remembers is a pop-up appearing while reading his e-mail asking if he wanted to download a free program to read the attachment which he clicked “No” to despite my past warnings.
Thank you very much! I was able to run the scanner in safe mode and remove antiviruslive while following it step-by-step.
Is it a coincidence or does it just seem that since I have been using Google Chrome as my ONLY browser choice I have had no problems with malware at all. Comments?
I have that damn virus I have had it for 3 weeks now(I got the new version too, btw if you have firefox browser it is not affected by it) and all I can do really is halt it’s progress, it won’t let me download anything in safe mode or do anything really. I can’t download the software you prescribed(I have tried) and it is officially making me want to break my computer. I am able to delete the main file outside of safe mode though so I was just wondering if there were any other files/servers I could kill while not in safe mode?
Thank you so much for these instructions!!! I have them bookmarked now. Yesterday, I got the AntiVirus Live prompt and wasn’t sure what it was about because the window closed itself. (Hmm, as I think about it, I think my work computer has this too.) The virus must not have taken effect because I was able to research about it and find these instructions. I also was able to download Super Antivirus Spyware onto a CD, and same with Malware Bytes. When I ran SAS, it found 276 threats (adware – cookies), I cleaned and removed them. Nothing was found when I ran Malware and my normal anti-virus tool.
I still suspected the virus lurking about – dormant, if you will – so I ran both SAS and Malware again today. SAS found 10 threats (adware – cookies), and nothing on Malware and my normal anti-virus tool. SO instead of doing the Combofix as mentioned, I ran Microsoft Security Essentials. Voila – virus found. It is VirTool:JS/Obfuscator.G I’m not sure if this is related to AntiVirus Live, or what. But I can say, I have spent the past two days trying to get the booger off my computer. Am I in the clear, or should I run the Combofix too? I think I have got it? Have I? I hope. At least for now.
Garbinski,
I cannot stress enough how important it is to not do business with anyone who proclaims they are the only one’s who can fix a problem. Places like the Geek Squad and Staples should be avoided – IMHO. If you must take your PC somewhere, consider seeking out a local computer shop in your area. Talk with them first and ask for references, then check the BBB. Overkill? Maybe, but doing this leg-work upfront could save you lots of headaches in the long run. Besides, finding a local shop, who is reputable, to do your computer repairs is the start of a good business relationship.
I shouldn’t complain though – about Geek Squad and Staples. There “professional” work has allowed me to make some good money, fixing people’s computers where it was taken to one of these “expert” repair locations.
As to the problem at hand? Read the steps and posts in this article – or do some Google searches on the topic. There are people here, and elsewhere, who are more talented at helping with problems than you’ll find at Best Buy or Staples.
Good luck!
I contracted this malware and it was able to somehow get my card details. (I didn’t enter them in).
Trying to remove the program just made it worse, It got to the stage when I couldn’t even search for the .dll files and it has since fried my pc and now I’m on the search for a new one.
In-law got desperate, paid the $49.99. They charged his card three times. Had file a complaint. SO it ends up more trouble that just messing up your PC.
OK, so cleanup of these viruses is really great. BUT how are they getting through IE in the first place? IE’s are patched to the hilt, so it’s not thru old vulnerabilities, and it’s in the Internet Zone so should not really run nsty stuff. We do know they’re in the Ads and we know the users are not explicitely clicking (or at least not that they notice), so what mechanisms is being used, any good ideas? I’m mainly refering the the ones that recently were on the “Star Tribune infecting web readers with a computer virus.” A bunch of people got caught by that.
Thank you. Followed directions and everything worked out just fine.
I got the virus and didn’t know how to remove it until I found this page. Thank you for the directions on how to remove this virus. I followed them and everything on my computer is working back to normal.
one of my roommates got infected one time.
I did a regular virus guard check from AVG then, quarantined them, they I figured it was something with the registry key, instead of messing with all that, I uninstalled the internet browser he had, and installed a brand new browser on his machine and it is working ever since.
What a mess the virus made of my computer but after I downloaded I followed your instructions I was able to clean my computer completely of this malware. My desktop was infected so I downloaded the spyware program on my zip drive and then booted my desktop in safemode with networking ran the scan and it cleaned it. Wonderful wonderful program. Thanks so much!!
Contracted antivirus7. Took me an hour to stop it. It hijacked my computer, my administrator over rides, would not let me delete or get out of the program without buying this bogus product, etc. I checked my system startup programs window (got lucky the icon for this window appeared in my toolbar and I opened it and ran down my list. AV7 was listed and checked to run. I unchecked it and another that began with E and was listed as unknown. Not sure the 2 were related. I restarted. Once windows was restarted I went back to c drive, program files and deleted the AV7 file. I was able to delete the shortcuts, and delete the av folder in the all programs list. Sent all to trash and permanently deleted from there. I checked my registry and could not find any related keys that other people suggested to remove. I then ran McAfee (it found nothing), SuperAntiSpyware (free download) it found 7 trojans and a zillion adware cookies, and finally MicrosoftSecurityEssentials (free down load) it came up clean too. Makes me wonder about McAfee. So far so good. Not savvy enough to figure out all the other suggestions. I am keeping my fingers crossed. I suggest everyone check thier start up windows program and see if these other virus’s are listed there.
You have a few moments when you startup your PC to hit ctrl+alt+delete and end the fake antivirus programs. This allows you to run Malware,Spyware Removal programs. There are usually about 30 processes running and you have to find which one the virus is by checking the process name with google and verifying its authentic. My latest one started with ppv.
Make sure you also open up a browser right away before the virus disables it.
Good Luck
many people don’t know how to get back the internet connection from Proxy Settings. They will think their computer still infected by virus even after they cleaned up.
Good catch on this.
Malwarebytes and Superantispyware are my two favorite tools
Just a friendly reminder to run your SAS and Malwarebyte scans in SAFE mode. I was able to run the scans in normal mode before the AntiVirus LIVE virus became active which as stated in other posts – was about a minute after start-up. It would actually detect the problems and “remove” them. Unfortunately, it did not really get rid of it until I ran the scans in SAFE mode. Thanks again for all of the assistance. BTW – the MS Security Essentials scan would get hi-jacked by the virus before even starting its scan in normal mode. Not sure where I picked the bugger up, but it kept me busy for awhile.
This malware will make a cry-baby out of a man. It’s amazing that we can put a man on the moon but can’t completely stop this virus without these great tools. The steps at the top of this page are 100% correct. You might have to act fast as your computer is starting in order to stop the process. Make sure the “(random).exe” file is not only deleted from the C: drive but also from the recycle bin. BUT use Malware Bytes and Super Anti-Spyware to rid yourself of the Trojans, HiJacks, and Registry entries. A RESTART is essential after Malware Bytes finishes scanning. It won’t delete the files unless you restart.
I use Vista 64-bit and McAfee Anti-Virus and got two different versions of this virus. Back in January I got Anti-Virus Live. What a pain! That exe is “sysguard.exe”. I did get rid of it. Two months later I got Vista Defender. It does the same thing as Antivirus Live but is a different infection. That exe (if you’re looking for it) is ave.exe. My brother’s pc got it as well and I tried for 4 hours to fix it and everything was locked on it. Granted it’s a 10 year old computer. So he just decided to leave it off for 3-4 days and turned it on and the virus didn’t start. He was able to run Malware Bytes and Super Anti-Spyware and they got rid of a few things.
In addition, after reading and doing a lot of research on this, it affects everyone differently and everyone has a different story on how they got it and what it does to their machine. I couldn’t even use ComboFix because I run Vista 64-bit and ComboFix is NOT compatible with it (go figure). I got the Vista Defender from Mediafire…not the site itself but a pop-up on the site. It was a pop-up for Futon Critic?!? I read some of you got it from Blue Mountain. I read on another forum about someone who got it from myspace. I don’t know this for sure but i don’t think this is a virus that lies dormant. It couldn’t really run dormant because you’d see new exe files on your pc that weren’t there before. And if you run Malware Bytes and Super Anti-Spyware often (twice a week) you’ll find the bad stuff in your computer. I think as you soon as you get it from a pop-up you’ll know right away.
My advice is just be careful of which websites you are visiting. Stay away from file-sharing sites. Don’t open emails or click on anything you don’t recognize. If you get it from a particular site, contact that site (ie Blue Mountain) and mention you received a pop-up from their site that caused a virus. Also contact Microsoft and the company whose Anti-Virus software you use. Let them know their Anti-Virus didn’t do it’s job. Ask Microsoft and your anti-virus company what steps they are taking to prevent this.
I was seriously thinking about paying Best Buy $200 to remove all rogue malware infections. After finding this wonderful site and following directions I am able to use my computer again. After I ran the SuperAntiSpyware it removed 193 viruses/malware. 30 minutes later my computer was still under siege so I then ran Malwarebytes and removed 649 malwared to my surprise my computer is back as before. Now to be caution I am going to run the MicrosoftSecureEssentials and wait if any other malware is detected. Thanks so much for this wonderful site and advice.
My advice to anyone who’s computer is infected with malware. Follow the directions above “Removing Rogue Fake Antivirus Infections” and you to will be surprised and happy.
Best Buy told my husband it would cost $200 to remove the malware virus plus they would have to rebuild the registry; and they would keep our computer for 3 to 5 days. After running the Malwarebyte Antimalware it found 4 infected registry keys; 2 infected registry values; 6 infected folders and 635 files infected. Now thats 279520 files 47 min 17 sec later.
We just connected our 2 external hard drives for another scan from malwarebyte to make sure we have capture all. This site is the best
“How to GeeK” Love you.
If you realy want to make sure you and your loved ones dont get hit by these sorts of programs again. Kill them from the source tell everyone you can contact to never under any circumstances pay these guys. The one thing I can see in common with all of these programs is they require you to pay with your credit card to remove them. If no one pays them their will be no incentive to hold peoples computer hostage anymore. Put this up on your myspace, facebook, hell even your twiter. If we spread the idea like a virus to dry these guys out no one will take the risk again to make these programs again.
My PC was infected with this virus a few days ago.
I tried numerous ways to eradicate it before coming up with the solution which worked for me. My Windows 7 Repair Disc had already proved ineffective.
I inserted the Windows 7 Installation disc into the PC, then booted up the machine.
A message later appeared regarding Country Keyboard etc., so for me it was UK.
The next message which showed up was to ask if I wished to Install Windows or do a Repair.
I chose Repair and I soon found myself at System Restore.
After I had chosen the option I wanted, I was quickly back in business with a restored PC.
Just to make sure that everything was OK, I ran a full disc scan with Avast!, then SUPERAntiSpyware, followed by MalwareBytes and Windows Defender.
The PC got a clean bill of health.
I also downloaded and installed the free version of Macrium Reflect. This excellent programme allowed me to create a backup of my boot drive and place it on a different partition on my PC.
The whole process took about 10 minutes to backup 24 gigs of data and resulted in a file of 8.8 gigs. If something should go wrong in the future, I can always restore a clean backup to the PC.
I noticed a comment that the Firefox browser is not affected by this virus. I’ve used Firefox for years and have the current version installed on my machine.
I’ve taken a tip from this site and now have a copy of the free, portable version of SUPERAntiSpyware on one of my Flash Drives.
01 Go to – http://www.howtogeek.com/howto.....and-other- roguefake-antivirus-malware/
02 Scroll down to – Try to use the free, portable version of SUPERAntiSpyware to remove the viruses.
03 Select – use the free, portable version of SUPERAntiSpyware
04 Download this program to a usb removable drive
05 Start your infected computer
06 Right click the Start Icon bottom left
07 Select – open
08 Open – Program folder
09 Open – Startup folder
10 Select – Start
11 Select – Computer
12 Select – portable usb drive
13 Now drag the portable SUPERAntiSpyware from your usb removable drive
14 Drop the program into the Startup folder
15 Restart the infected computer
16 The Antispyware program will start up before the infected virus kicks in
17 As the program comes up select – Click here to start
18 Select default language – English (US) – Press ok
19 In the main menu select – Scan your computer
20 Select – the drives that need to be scanned
21 At the end the problem will be gone
22 Run the scan twice just to make sure
23 As with this computer all should be ok
Well I might as well add our story of victory against this evil virus. We caught the virus from a trusted site, but through a pop up ad. We tried running SuperAntiSpyware, it said removed but of course it wasn’t. We couldn’t get into task manager in regular mode, and in safe mode the virus wasn’t showing. So here are the steps we did to get rid of this:
1. Booted into Safe mode
2.In Start bar, typed msconfig
3. Under start up programs we found an unknown program running, hover over the program to find file path.
4. Ours was NOT labeled sysguard.exe. It was under the name :gjsevuvea\cayartistssd.exe
5. Went to our C: drive and followed the file path we had seen in the start up
6. Found file and shit + delete to kill it without sending to our recycle bin
7. Went through same path and killed any and all folders created on same day virus was caught
8. Go back to msconfig and unchecked the unknown program from starting
9.Rebooted and ran SuperAntiSpyware scan. So far it is NOT showing up in the registry scans like it did before.
10. Reboot again and run Microsoft Essentials Security Scan
11. Reboot again
12. Run msconfig and check start up programs
So far we seem to be clean and clear. I’m running more scans right now and plan on doing an entire drive search for any and all new and unknown programs.
Thank you so much for all these tips and different pieces of info. We took some from everyone and that seemed to work in our situation. Fingers crossed this worked.
OMG got this today… I didnt really take any of these steps. I Shut all bad programs down in Task manager and a alternative task manager and deleted each infected file. i am currently scanning with AVG and will try that malware program just in case….
yay for computer
Hey all. Just cleaned this off my wifes Win XP pc, or I am cleaning it.
Ran SuperAntiSpyware, that found most of it and allowed me to use the pc.
Ran Malware and it found 3 registry entries SuperAntiSpyware missed.
Ran Norton and it found a couple more “fragments”.
One thing I did notice that hasn’t been mentioned here yet, it seems to have changed the group policies settings so I am not able to access system restore settings to delete old restore points.
Is this a new feature or am I missing something?
Thanks
all I did was log in safe mode used internet options deleted cookies temp files…the used restore…and bing bang done took all about 5 minutes then used my anti virus and spy bot to check and all was ok..peace.
Strange to see all these comments with so many different ways to try to fix the issues. As a computer support tech, I’ve always just asked the person when they first saw the fake antivirus appear, then do a systems restore to a date prior to the infection and it has always worked just fine for me. Takes but a few minutes. the fake antivirus was removed and doesn’t do any more damage. If you want, you can try to look for the files of that program and manually remove any you find, but I haven’t found any computers misbehaving after I used system restore.
I just got this virus the day before yesterday it would’nt let me look at anything in my computer or let me log off it was just stick on my desktop. I had run many virus scans and system restore but my internet still directs me to pages that are ads I cannot rid my computer completely of it.I had my same laptop since 2002 use it daily all day and night and never has anything like this happened to me before!My question is if it comes back again is there a way to make it stop what it is doing and get off your computer? you can’t just sit there and watch it happen so what should you do?
I have tried to follow this process, but after I disabled the proxy and ran superantispyware, I have been unable to connect to the internet via my wireless. As such, I cannot get access the malwarebytes, anyone had this problem or any suggestions?
HELP OK so I’ve tried to do this but I’m not sure what to do to the LAN thing I tried to uncheak the box and hit OK but apply didn’t light up I’m lost with what to do can some one tell me exactly what to do
Just a warning to those getting this virus or in danger of getting it. Over the passed 2 days I’ve had a problem with this. Day 1 when I originally got it I followed a link on Wikipedia. I ended up getting rid of it, totally forgot about Wikipedia went to look something else up there about an insect the following day and ended up getting it again. Watch out for that site right now, anything, links, pics whatever can give you malware. Must resist Wikipedia habit.
had thge virus and unfortunately after 5 hours and before reading all these very helpful fixes—I used a day old image (thank goodness I have an imaging program) to overwrite the damn thing!
I came accross a 99.9% solution–it is software called sandboxie (sandboxie.com). Tak a look see—been using it now for over week and ALL attacks are immediately reversible!
peace
I used the “Super” program in SafeMode. It seemed to work well. I rebooted and ran the Malware program; more ’stuff’ was found and deleted. Then I reconnected my MagicJack and voila! It all went to CRAPOLA again!! Argh!
After stewing for a day or two with no computer or time to fart with it, I sat down and reloaded with a new download of “Super” in SafeMode. Faster finding of the crap (duh – the computer was on for less than five minutes when it came back after the first “repair”), then it rebooted.
This is crazy! The trojan is still here, the malware program can’t be opened (its infected), the MagicJack is still infected, everything is still infected, can’t be opened – total trashed waste of time.
I’m going back into SafeMode to see if I can use any System Restore dates or not.
I wish I still knew the Russian phrase equivalent for “Bl*w Me”. If they had stayed Commie, this would not be happening.
Hi, I have some viruses on my laptop & I have attempted to remove them w/ the Norton 360 4.0 version software. I installed it on my computer, but was only able to run a quick scan not a full complete scan because of my internet connection, it scanned and found 103 threats and some viruses and said they were removed but that little red and white box keep poping up saying windows has detected harm malware trojans trying to steal passwords , etc., I hit ignore each time and keep trying to register my software but when I tried to complete the registration & activation of my software, I gets a message saying, my software activation is not complete because I’m not connected to the internet/ symnatec doesnt detect a internet connection, How do I fix this issue w/ my internet connection ? I think the virus has blocked me from connecting to the internet.Please help!!!.
hi, beware of “ANTIVIR SOLUTION” “AVSolution” just got one:/
My brother just got the ANTIVIR SOLUTION yesterday and I have been trying for hours to figure it out. Even when I follow ALL instructions I can’t get on the internet (even in safe mode with networking). I obviously can’t download any of the amazing programs to get rid of it. Any solutions???
@Bethany: I guess you have tried to uncheck the “use a proxy server” option in Internet Options of Internet Explorer? You can also try putting the software on a USB drive or CD…
I got this very annoying Antivir crap yesterday. This article helped me fix it. Thanks a lot!
The only problem I got was booting into safe mode. When I pressed F8 I could only choose between boot devices. But I think it’s a setting in my bios that does this.
Just disconnecting the power of my pc while in Vista and then starting the machine up again got me the screen to choose for safe mode.
The problem was gone after running a full scan with SUPERAntiSpyware. Malwarebytes also found 6 threats and I’m running Microsoft Security Essentials now.
Gotta tell ya “You really helped me out”…just bought a new HP pavilion lap top and got this very same virus on it…darn thing cost but I picked it up for half the price…HP has had it for the last 6 months because it “CRASHED HARD” and really “rebuilt” the “refurbished” HP for free (got the 4 year warranty)…but now when I, a simple minded nurd try to use the F11 key to reset it back to factory it freezes mid process (I refuse to leave the store when they call me to pick it up because I know it will still freeze with F11)…HP techs can reset it because they are not using the simple F11 laymans ke but their tech stuff…”Im no tech?!?!” …Its gowing on 8 months an I have not watch a BluRay disc yet… and many work orders later an it still freezes because of the virus I think…any ideas?…This one is a loner and I was able to bypass most of this because I liked the older virsion of foxfire 2.0 an was not lock out from the net although it did lock my out of Google chrome…Thanks foxfire.
Hi. I got this virus a couple weeks ago on my sisters laptop. I shut down her laptop and waited a couple days as I did some research. When it booted up the virus appeared to be gone. I did a system restore to a date before the infection. I then installed Microsoft Security Essentials because her Norton trial expired a while ago and she didnt tell anyone(which is probably why she got the virus in the first place). I ran a full scan with MSE and it found some stuff ( I dont remember what exactly but one was something like “fakespypro”) and removed it. I thought i was good until a couple days ago it came back while i was on the internet. This time it doesnt seem like its going to go away. I plan to stop system restore because of comments that say it also gets infected and follow the steps in this article. However I am wondering why it magically “disappeared” the first time and if i need to do something extra to get rid of it. I will post my progress. Thanks
This virus was like my in-laws: showed up uninvited and was next to impossible to get rid of! After reading all of these posts, my plan of attack was to load SUPERAntiSpyware, Malwarebytes, and Microsoft Security Essentials on my jump drive. I booted up my infected laptop (safe mode was disabled, so I had to do a regular boot), immediately hit ++ to bring up Task Manager, and ended all unfamiliar processes as quickly as possible. There was no process called sysguard.exe. Next, I tried running Malwarebytes.com but got an error message. So I ran Microsoft Security Essentials, which found and removed two worms: Orbina and Sirefef. Next step, reboot. Next step, run SUPERAntiSpyware. Hasn’t found anything yet. Hoping I’m good at this point. Will post an update tomorrow. Thank you, thank you, thank you, howtogeek for the helpful information and the opportunity to learn from others’ experiences.
The combination of Microsoft Security Essentials and SUPERAntiSpyware worked like a charm. Never did get Malwarebytes to work, even after uninstalling and reinstalling.
can i do this from my administrative acount or from the infected acount. it popped up on one of my avg scans on my other acount wich is not infected and i put it in the vault and checked remove this threat as power user. that means i can remove it from that acount right.
hello. thanks for the tips..led me in the right direction. jumped to task manager and could not find a process w/sysguard.exe., loaded a flash drive with malwarebytes(on another computer) and went to safe mode on the infected computer. it found 2 infected files called rogue suite. dumped them and went to connections to see if proxy was on- it wasn’t. re-booted and had to go back to connections as proxy was now on…unchecked it and eveything is back to normal so far…..
thanks again
sad to report it is back. rogue antivir suite is the entire name. trying some other things now..adding msessentials now. seems(?) to have detected other viruses…. who knows. i’ll keep you posted
I may have gotten this fake antivirus infection by watching a DVD on my computer- maybe something to do with a codec needed to watch the movie.
Anyway, I didn’t find anything named xxxSYSGUARD.EXE. Instead, the offending file probably was qbvvagltssd.exe, which bears some resemblance to the name another poster mentioned that was like xxxssd.exe (having ssd.exe in common).
This malware seems to have modified my Firefox and I.E. browsers to use proxy servers.
I’ve read the suggestion elsewhere that the virus may have entered through Javascript.
I bet the authors of that malware read sites like this and continually modify their malware to be even more difficult to deal with based on what victims like us are doing to get rid of it.
All you have to do is reboot, press F8, click on – safe mode with networking, once in system, restore system to a previous date…. problem solved
Hey guys, I just got this nasty virus this morning, even though I had the real Avira running.
Here’s how I fixed it, you can do this without even rebooting once! It closes every window that you open, including the task manager, but it doesn’t close any windows that are already open when the virus loads. So press Ctrl-Shift-Esc immediately after you log in, you know, at that phase where you can see your desktop, but before your taskbar starts filling up with those little icons of all the crap you have installed on your computer.
Then you can just kill the process for the virus. Note that there’s several of them, I had a civiy.exe, a bfn.exe (that calls itself BitDefender), and something else called ndgxpmptssd.exe. (Tip: if you see something you don’t recognize in your list of processes, regardless of how legit the name looks, right click it and see the exe location. If it’s running from a Temp or AppData\Local directory, it’s not legit.)
BUT, before you kill the processes, right-click, look at properties, and find out where the exe lives so you can delete it.
I also went in and fixed the proxies on my browser.
Anybody know where the virus comes from? If you have any idea, email me alexisme999@yahoo.com
Hey all,
I too have had my laptop infected by a rogue/fake antivirus running as ANTIVIR PRO which locks me out of all executable programs. I have taken the steps above both in the guide and from tips in the comments, primarily running malwarebytes and SUPERantispyware in safe mode. Each time I attempt to run the programs I get about 10 minutes into the scan, which finds about 3-4 infections, and for some reason the laptop shuts down abruptly without warning, taking no action on the discovered infections. This particular laptop is a Toshiba Satellite L305D-S5868 running Windows Vista 64bit and it has never had this abrupt shutdown issue before. I have read other forums citing heat buildup issues as the culprit, but I’m somewhat doubting that here since I never had a problem before and it seemes to pop up only when I attempt to clear out this virus.
Any information or guidance on this matter would be greatly appreciated.
Thanks in advance!
Let me share something that worked for me on one occasion, as the computer was booting up I immediately went to system resore and was able to use it – of course once the computer boots up it prevents you using system restore.
Hats off to the guys at SUPER Anti-Spyware.
Family member had a severe infection due to fake antivirus trojan. MalWareBytes didn’t shift it as the AV would reboot the computer before it was finished. But SAS run with Windows in Safe Mode under the Administrator logon did the trick.
Great work guys. Thank you.
So, if this is so prevalent, why has Microsoft not created something to solve it? I have had it twice on a networked computer. I have not had it on the system that I only use Firefox on.
I just directed my daughter who has about four hours of work to do to call microsoft–didn’t find your website until after I told her to call.
Thanks for the clarification on the server window–I was confused on that one.
Dude, thank you! You have saved mye day
i followed the tutorial and it made my pc 100% clean! Thank you, again!
I just had this same problem on my girlfriend’s computer so I was freaking out. All I did was reboot in safe mode and go back to a safe point like someone else earlier had commented. I did try to sweep it several times in safe mode with networking as advised. It would catch it every time and I would delete it. Then when I would re-boot I would be right back to where I was with this pain in the ass virus going crazy. I finally just reverted back to an earlier state using safe mode and windows troubleshooter. So if you come across this virus I would recommend doing this first before following all the other steps.
I got the dreaded antivirus software virus last night and followed your advice. I wanted to say thankyou so much it was sinple and to the point. You are my Geek hero!!!
Hi, i have been attacked by some rogue anti virus that fits all the descriptions above, i have downloaded the super anti spyware and run it on safe mode however it is not picking up the rogue virus. Please help me and advise what i should do next? thanks
Hey,
My sister’s pc had a malware attack. I ran the superspyware program and it was all good. When i went back to the internet to download malwarebytes, the internet search engines wouldn’t work. Anytime I clicked on anything on the internet, the link took me to random and obscure sites. When I went into internet options, it said it didn’t have a folder connection and that I would have to go into folder options to create a link or something. I don’t know what to do at this point. I eventually managed to download Malwarebytes but whenever I tried to run the program the same message appeared as it did for the internet options. I really don’t know what to do at this point.
Thank you so much, I’ve been up all night trying to kill this thing, and this article helped. One piece of constructive criticism though, in the picture of internet options, is this what it’s supposed to look like on a clean system? You just say “We need to fix this” and post a picture, then move on. I went to the advanced tab and just reset IE’s settings, and what I got in the LAN settings was the “automatically detect settings” box checked. I don’t use IE (Firefox ftw!), but just trying to make a great article better.
Followed the advice in the article and it cleaned my system. Booted in Safe with networking, ran the ASA scan, deleted the Rogue Anti Virus infection. Great help. Thanks.
This software seems to be helping me so far and was easy to download and quickly started on my computer. It checks memory items, Registry Items, File items and then records it all for you to see. GREAT FREE VIRUS FIXER…..Defenatly recommend using both mailwarebites and superantispyware.
Seems to be that after i used those softwares the virus was still there….im sad now. I now went into safe mode and clicked no when it logged in and asked me to log in on safe mode.
I CLICKED NO
NO SAID TO RESTORE TO A POINT
You should click no and it will force to restore to a point. Try and get it back about a month or so as long as you wont loose too much data but trust me life of your computer is way more important than some data lost. Hopefully this will work for me…..
THANK YOU to whoever wrote this! This literally saved my laptop. Only thing I would suggest and I don’t know if this happens to everyone, I wouldn’t even both trying to run anything without being in Safe Mode because the killer for me was the “Task Manager_Hijacker” and the some other one that killed any access to getting to my Home Page of Internet Explorer let alone any sites to download malware and spyware removers
I am trying to get this virus off of my son’s computer and am having trouble getting it off of all user accounts at the same time. I run all of these steps on my user (administrator) account and clear it, but any other account I log in to re-infects all the accounts, including mine. They all have the proxy LAN step removed on IE, but I can’t get the SAS and Malwarebytes to run on the other users. I can’t get rkill.com to run on anything but the admin account.
Does anyone know how to make SAS and Malwarebytes search all users at the same time to get rid of this?
Trying to clean a studio computer at my church. All malware progs say the computer is clean now….however…when I try to go to Google or Yahoo, etc…I see that something is still hijacking IE and Firefox. Any suggestions?
//djlight
I was incredibly doubtful to say the least, but I already had a virus, so If this had turned out to be one I wouldnt have lost too much, but it DID work
Many thanks. The virus seems a bit smarter as even in safe mode parts of it ran. (I don’t know how that’s possible, but we just watched it happen. A phoney virus warning popped up, but I was able to ignore it without more popping up.) However, we were able to run malwarebytes, which was the only program out of the group I tried that got rid of the virus. (Nasty!)
Spybot identified it, but couldn’t remove it… So I have a new fave malware protector!
MY son had this rogue virus it was a real pain and stopped us opening marlrebytes and Norton 360 didn’t even recognise it was their!!!! Even stopped us opening internet explorer trying to scare us into paying for an expensive spyware.
ooops spelling mistake Malwarebytes on previous mail
Thank you very much. For this Post. Fix my NETBOOK from the FAKE ANTI VIRUS. It SAVE ME big COST of Fee Virus Removal. Thank you.